SQL2008R2 BPA Whitepaper v10
-
Upload
belzaleel-madrigal-jasso -
Category
Documents
-
view
49 -
download
0
Transcript of SQL2008R2 BPA Whitepaper v10
Page 1
SQL Server 2008 (R2) Best Practice Analyzer
SQL Server Technical Article
Writers Sylvio Hellmann Guumlnter Gross Dana Burnell
Technical Reviewers Oliver Hahn
Published September 2010
Applies to SQL Server 2008 (R2) SQL Server 2008 (R2) Analysis Services SQL Server 2008 (R2)
Reporting Services and SQL Server 2008 (R2) Integration Services
Summary
The Microsoft SQL Server Best Practices Analyzer is a well know tool in the DBA community to
validate if SQL Server installations are adhering with Microsoft recommended best practices
In the new R2 version the SQL BPA introduces advanced capabilities in conjunction with the
PowerShell architecture and also raises the bar for prerequisites and cross dependencies
While introducing the new tool to our premier customers in the Banking Insurance and Productivity
field we received strong positive feedback along with some interesting questions that we will discuss
further in this paper
Understanding PowerShell Policy based Management and SQL BPA will empower you to unleash the
full potential of the SQL Server 2008 R2 Best Practices Analyzer (BPA)
Page 2
Table of Contents
1 Introduction 5
11 Architecture and data flow of the BPA 6
12 Microsoft Best Practice Analyzer Universe 7
121 SQL Server BPA (older versions) 7
122 Windows Server 2008 R2 Best Practice Analyzer 7
123 Fix-it 8
124 Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7 8
2 System Requirements 10
21 Required Permissions for Running SQL Server 2008 R2 BPA 10
22 Prerequisites 11
3 Install 12
31 Installing PowerShell 20 and WinRM 12
32 Install MBCA 13
33 Install BPA 14
331 Command line 14
332 GUI 15
333 Port and Firewall restrictions 16
34 Updates 16
35 Uninstall 16
351 BPA 16
352 MBCA 16
353 Reset Powershell settings 16
4 Usage 17
41 Help file 17
42 GUI 17
43 Connect to a remote computer 20
44 Powershell 22
441 Run Scan 22
442 Create Report 23
443 Exporting and opening reports by using Get-MBCAResult 24
444 Report Result Directory 24
5 Troubleshooting 26
51 Application directories 26
Page 3
52 Windows Server 2003 ndash NumberOfLogicalProcessors 26
53 MBCA 27
54 Where can I find the Instance name in result set of the analyzer report 27
55 Memory limit of remote PowerShell process 27
56 Remote connect 27
57 Installation 30
571 Powershell error 30
572 Workgroup or Non-Domain computer 31
573 Kerberos Failure 31
6 Rules 33
61 Engine 35
62 ASRules 37
63 RSRules 38
64 ISRules 38
65 SetupRules 39
66 Replication 39
7 How to Deal With Deviations 40
8 Motivation to use SQL BPA R2 41
9 Additional Information 42
91 Powershell 42
911 Get-MBCAModel 42
912 Invoke-MBCAModel 44
913 Get-MBCAResult 49
914 Set-MBCAResult 54
915 MBCA Model Authoring 56
Page 4
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication
This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES
EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT
Information in this document including URL and other Internet Web site references is subject to
change without notice Unless otherwise noted the companies organizations products domain
names e-mail addresses logos people places and events depicted in examples herein are fictitious
No association with any real company organization product domain name e-mail address logo
person place or event is intended or should be inferred Complying with all applicable copyright laws
is the responsibility of the user Without limiting the rights under copyright no part of this document
may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any
means (electronic mechanical photocopying recording or otherwise) or for any purpose without the
express written permission of Microsoft Corporation
Microsoft may have patents patent applications trademarks copyrights or other intellectual property
rights covering subject matter in this document Except as expressly provided in any written license
agreement from Microsoft the furnishing of this document does not give you any license to these
patents trademarks copyrights or other intellectual property
copy 2010 Microsoft Corporation All rights reserved
Microsoft and SQL Server are trademarks of the Microsoft group of companies
All other trademarks are property of their respective owners
Page 5
1 INTRODUCTION
The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs
the following functions
Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2
that is installed on that server
Determines if the configurations are set according to the Microsoft recommended best
practices
Reports on all configurations indicating settings that differ from recommendations
Indicates potential problems in the installed instance of SQL Server
Recommends solutions to potential problems
This tool is used by IT Professionals and Database Administrators to help ensure that their installations
of SQL Server and associated products components are adhering to best practices as determined by
the SQL Server Product Teams and CSS This utility scans the installation of a local or remote
machine gathering system data from WMI log files the Event Log the Windows Registry and SQL
Server metadata and compares the results to predefined standards It then produces a report that
shows the results and points the user to additional information on the web to help them determine
whether they should make changes to their systems
For every configuration the SQL Server 2008 R2 BPA provides the following results
Compliance results are returned when an instance of SQL Server satisfies the conditions of a
Best Practices rule Non-compliance results are returned when an instance of SQL Server
does not satisfy the conditions of a Best Practices rule
Impact of non-compliance
Recommendation
Links to more detailed information and related topics
To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a
couple of products ndash depending on specific purpose of the Software The following diagram illustrates
the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in
parallel or in combination with BPA
Page 6
The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and
products
So you will find a couple of policies in our monitoring solution
SQL Server 2008 R2 Best Practice Analyzer
within more than 140 rules for database engine and other technologies
System Center Operations Manager (SCOM)
within the SQL Management pack (current version 6131436 release date 08172010)
with more than 300 rules and 50 additional monitors
Policy Based Management in SQL Server 2005 and 2008
with predefined policy collection (50+ policies)
There is a whitepaper about PBM here
System Configuration Checker in the SQL Server 2008 setup wizard
The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more
than 200 rules This offering is meant for Premier customers running the SQL RAP against
their most business critical SQL instances
Note This tool set is only available for Microsoft Premier Customers
11 Architecture and data flow of the BPA
The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline
Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the
configuration analysis and reporting output from MBCA
The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA
Engine and the MBCA UI
The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA
Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during
CSS Rules Advice
and Manifests
SQL Server 2008 R2 Best
Practice Analyzer
SQL 2008 Setup
Policy Based Management
SCOM SQL MP
SQLRAP
Page 7
discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs
etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is
performed using the Schematron file This file run by the MBCA engine contains the logic for
evaluating the best practices The final step following the evaluation process is the report generation ndash
which is shown in the MBCA UI
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer
12 Microsoft Best Practice Analyzer Universe
Microsoft offers many technologies and utilities to produce best practices recommendations
121 SQL Server BPA (older versions)
Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
122 Windows Server 2008 R2 Best Practice Analyzer
In Windows management best practices are guidelines that are considered the ideal way under
typical circumstances to configure a server as defined by experts For example it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers and block unused ports Although best practice
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 2
Table of Contents
1 Introduction 5
11 Architecture and data flow of the BPA 6
12 Microsoft Best Practice Analyzer Universe 7
121 SQL Server BPA (older versions) 7
122 Windows Server 2008 R2 Best Practice Analyzer 7
123 Fix-it 8
124 Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7 8
2 System Requirements 10
21 Required Permissions for Running SQL Server 2008 R2 BPA 10
22 Prerequisites 11
3 Install 12
31 Installing PowerShell 20 and WinRM 12
32 Install MBCA 13
33 Install BPA 14
331 Command line 14
332 GUI 15
333 Port and Firewall restrictions 16
34 Updates 16
35 Uninstall 16
351 BPA 16
352 MBCA 16
353 Reset Powershell settings 16
4 Usage 17
41 Help file 17
42 GUI 17
43 Connect to a remote computer 20
44 Powershell 22
441 Run Scan 22
442 Create Report 23
443 Exporting and opening reports by using Get-MBCAResult 24
444 Report Result Directory 24
5 Troubleshooting 26
51 Application directories 26
Page 3
52 Windows Server 2003 ndash NumberOfLogicalProcessors 26
53 MBCA 27
54 Where can I find the Instance name in result set of the analyzer report 27
55 Memory limit of remote PowerShell process 27
56 Remote connect 27
57 Installation 30
571 Powershell error 30
572 Workgroup or Non-Domain computer 31
573 Kerberos Failure 31
6 Rules 33
61 Engine 35
62 ASRules 37
63 RSRules 38
64 ISRules 38
65 SetupRules 39
66 Replication 39
7 How to Deal With Deviations 40
8 Motivation to use SQL BPA R2 41
9 Additional Information 42
91 Powershell 42
911 Get-MBCAModel 42
912 Invoke-MBCAModel 44
913 Get-MBCAResult 49
914 Set-MBCAResult 54
915 MBCA Model Authoring 56
Page 4
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication
This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES
EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT
Information in this document including URL and other Internet Web site references is subject to
change without notice Unless otherwise noted the companies organizations products domain
names e-mail addresses logos people places and events depicted in examples herein are fictitious
No association with any real company organization product domain name e-mail address logo
person place or event is intended or should be inferred Complying with all applicable copyright laws
is the responsibility of the user Without limiting the rights under copyright no part of this document
may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any
means (electronic mechanical photocopying recording or otherwise) or for any purpose without the
express written permission of Microsoft Corporation
Microsoft may have patents patent applications trademarks copyrights or other intellectual property
rights covering subject matter in this document Except as expressly provided in any written license
agreement from Microsoft the furnishing of this document does not give you any license to these
patents trademarks copyrights or other intellectual property
copy 2010 Microsoft Corporation All rights reserved
Microsoft and SQL Server are trademarks of the Microsoft group of companies
All other trademarks are property of their respective owners
Page 5
1 INTRODUCTION
The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs
the following functions
Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2
that is installed on that server
Determines if the configurations are set according to the Microsoft recommended best
practices
Reports on all configurations indicating settings that differ from recommendations
Indicates potential problems in the installed instance of SQL Server
Recommends solutions to potential problems
This tool is used by IT Professionals and Database Administrators to help ensure that their installations
of SQL Server and associated products components are adhering to best practices as determined by
the SQL Server Product Teams and CSS This utility scans the installation of a local or remote
machine gathering system data from WMI log files the Event Log the Windows Registry and SQL
Server metadata and compares the results to predefined standards It then produces a report that
shows the results and points the user to additional information on the web to help them determine
whether they should make changes to their systems
For every configuration the SQL Server 2008 R2 BPA provides the following results
Compliance results are returned when an instance of SQL Server satisfies the conditions of a
Best Practices rule Non-compliance results are returned when an instance of SQL Server
does not satisfy the conditions of a Best Practices rule
Impact of non-compliance
Recommendation
Links to more detailed information and related topics
To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a
couple of products ndash depending on specific purpose of the Software The following diagram illustrates
the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in
parallel or in combination with BPA
Page 6
The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and
products
So you will find a couple of policies in our monitoring solution
SQL Server 2008 R2 Best Practice Analyzer
within more than 140 rules for database engine and other technologies
System Center Operations Manager (SCOM)
within the SQL Management pack (current version 6131436 release date 08172010)
with more than 300 rules and 50 additional monitors
Policy Based Management in SQL Server 2005 and 2008
with predefined policy collection (50+ policies)
There is a whitepaper about PBM here
System Configuration Checker in the SQL Server 2008 setup wizard
The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more
than 200 rules This offering is meant for Premier customers running the SQL RAP against
their most business critical SQL instances
Note This tool set is only available for Microsoft Premier Customers
11 Architecture and data flow of the BPA
The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline
Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the
configuration analysis and reporting output from MBCA
The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA
Engine and the MBCA UI
The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA
Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during
CSS Rules Advice
and Manifests
SQL Server 2008 R2 Best
Practice Analyzer
SQL 2008 Setup
Policy Based Management
SCOM SQL MP
SQLRAP
Page 7
discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs
etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is
performed using the Schematron file This file run by the MBCA engine contains the logic for
evaluating the best practices The final step following the evaluation process is the report generation ndash
which is shown in the MBCA UI
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer
12 Microsoft Best Practice Analyzer Universe
Microsoft offers many technologies and utilities to produce best practices recommendations
121 SQL Server BPA (older versions)
Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
122 Windows Server 2008 R2 Best Practice Analyzer
In Windows management best practices are guidelines that are considered the ideal way under
typical circumstances to configure a server as defined by experts For example it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers and block unused ports Although best practice
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 3
52 Windows Server 2003 ndash NumberOfLogicalProcessors 26
53 MBCA 27
54 Where can I find the Instance name in result set of the analyzer report 27
55 Memory limit of remote PowerShell process 27
56 Remote connect 27
57 Installation 30
571 Powershell error 30
572 Workgroup or Non-Domain computer 31
573 Kerberos Failure 31
6 Rules 33
61 Engine 35
62 ASRules 37
63 RSRules 38
64 ISRules 38
65 SetupRules 39
66 Replication 39
7 How to Deal With Deviations 40
8 Motivation to use SQL BPA R2 41
9 Additional Information 42
91 Powershell 42
911 Get-MBCAModel 42
912 Invoke-MBCAModel 44
913 Get-MBCAResult 49
914 Set-MBCAResult 54
915 MBCA Model Authoring 56
Page 4
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication
This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES
EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT
Information in this document including URL and other Internet Web site references is subject to
change without notice Unless otherwise noted the companies organizations products domain
names e-mail addresses logos people places and events depicted in examples herein are fictitious
No association with any real company organization product domain name e-mail address logo
person place or event is intended or should be inferred Complying with all applicable copyright laws
is the responsibility of the user Without limiting the rights under copyright no part of this document
may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any
means (electronic mechanical photocopying recording or otherwise) or for any purpose without the
express written permission of Microsoft Corporation
Microsoft may have patents patent applications trademarks copyrights or other intellectual property
rights covering subject matter in this document Except as expressly provided in any written license
agreement from Microsoft the furnishing of this document does not give you any license to these
patents trademarks copyrights or other intellectual property
copy 2010 Microsoft Corporation All rights reserved
Microsoft and SQL Server are trademarks of the Microsoft group of companies
All other trademarks are property of their respective owners
Page 5
1 INTRODUCTION
The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs
the following functions
Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2
that is installed on that server
Determines if the configurations are set according to the Microsoft recommended best
practices
Reports on all configurations indicating settings that differ from recommendations
Indicates potential problems in the installed instance of SQL Server
Recommends solutions to potential problems
This tool is used by IT Professionals and Database Administrators to help ensure that their installations
of SQL Server and associated products components are adhering to best practices as determined by
the SQL Server Product Teams and CSS This utility scans the installation of a local or remote
machine gathering system data from WMI log files the Event Log the Windows Registry and SQL
Server metadata and compares the results to predefined standards It then produces a report that
shows the results and points the user to additional information on the web to help them determine
whether they should make changes to their systems
For every configuration the SQL Server 2008 R2 BPA provides the following results
Compliance results are returned when an instance of SQL Server satisfies the conditions of a
Best Practices rule Non-compliance results are returned when an instance of SQL Server
does not satisfy the conditions of a Best Practices rule
Impact of non-compliance
Recommendation
Links to more detailed information and related topics
To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a
couple of products ndash depending on specific purpose of the Software The following diagram illustrates
the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in
parallel or in combination with BPA
Page 6
The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and
products
So you will find a couple of policies in our monitoring solution
SQL Server 2008 R2 Best Practice Analyzer
within more than 140 rules for database engine and other technologies
System Center Operations Manager (SCOM)
within the SQL Management pack (current version 6131436 release date 08172010)
with more than 300 rules and 50 additional monitors
Policy Based Management in SQL Server 2005 and 2008
with predefined policy collection (50+ policies)
There is a whitepaper about PBM here
System Configuration Checker in the SQL Server 2008 setup wizard
The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more
than 200 rules This offering is meant for Premier customers running the SQL RAP against
their most business critical SQL instances
Note This tool set is only available for Microsoft Premier Customers
11 Architecture and data flow of the BPA
The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline
Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the
configuration analysis and reporting output from MBCA
The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA
Engine and the MBCA UI
The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA
Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during
CSS Rules Advice
and Manifests
SQL Server 2008 R2 Best
Practice Analyzer
SQL 2008 Setup
Policy Based Management
SCOM SQL MP
SQLRAP
Page 7
discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs
etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is
performed using the Schematron file This file run by the MBCA engine contains the logic for
evaluating the best practices The final step following the evaluation process is the report generation ndash
which is shown in the MBCA UI
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer
12 Microsoft Best Practice Analyzer Universe
Microsoft offers many technologies and utilities to produce best practices recommendations
121 SQL Server BPA (older versions)
Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
122 Windows Server 2008 R2 Best Practice Analyzer
In Windows management best practices are guidelines that are considered the ideal way under
typical circumstances to configure a server as defined by experts For example it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers and block unused ports Although best practice
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 4
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication
This white paper is for informational purposes only MICROSOFT MAKES NO WARRANTIES
EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS DOCUMENT
Information in this document including URL and other Internet Web site references is subject to
change without notice Unless otherwise noted the companies organizations products domain
names e-mail addresses logos people places and events depicted in examples herein are fictitious
No association with any real company organization product domain name e-mail address logo
person place or event is intended or should be inferred Complying with all applicable copyright laws
is the responsibility of the user Without limiting the rights under copyright no part of this document
may be reproduced stored in or introduced into a retrieval system or transmitted in any form or by any
means (electronic mechanical photocopying recording or otherwise) or for any purpose without the
express written permission of Microsoft Corporation
Microsoft may have patents patent applications trademarks copyrights or other intellectual property
rights covering subject matter in this document Except as expressly provided in any written license
agreement from Microsoft the furnishing of this document does not give you any license to these
patents trademarks copyrights or other intellectual property
copy 2010 Microsoft Corporation All rights reserved
Microsoft and SQL Server are trademarks of the Microsoft group of companies
All other trademarks are property of their respective owners
Page 5
1 INTRODUCTION
The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs
the following functions
Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2
that is installed on that server
Determines if the configurations are set according to the Microsoft recommended best
practices
Reports on all configurations indicating settings that differ from recommendations
Indicates potential problems in the installed instance of SQL Server
Recommends solutions to potential problems
This tool is used by IT Professionals and Database Administrators to help ensure that their installations
of SQL Server and associated products components are adhering to best practices as determined by
the SQL Server Product Teams and CSS This utility scans the installation of a local or remote
machine gathering system data from WMI log files the Event Log the Windows Registry and SQL
Server metadata and compares the results to predefined standards It then produces a report that
shows the results and points the user to additional information on the web to help them determine
whether they should make changes to their systems
For every configuration the SQL Server 2008 R2 BPA provides the following results
Compliance results are returned when an instance of SQL Server satisfies the conditions of a
Best Practices rule Non-compliance results are returned when an instance of SQL Server
does not satisfy the conditions of a Best Practices rule
Impact of non-compliance
Recommendation
Links to more detailed information and related topics
To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a
couple of products ndash depending on specific purpose of the Software The following diagram illustrates
the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in
parallel or in combination with BPA
Page 6
The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and
products
So you will find a couple of policies in our monitoring solution
SQL Server 2008 R2 Best Practice Analyzer
within more than 140 rules for database engine and other technologies
System Center Operations Manager (SCOM)
within the SQL Management pack (current version 6131436 release date 08172010)
with more than 300 rules and 50 additional monitors
Policy Based Management in SQL Server 2005 and 2008
with predefined policy collection (50+ policies)
There is a whitepaper about PBM here
System Configuration Checker in the SQL Server 2008 setup wizard
The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more
than 200 rules This offering is meant for Premier customers running the SQL RAP against
their most business critical SQL instances
Note This tool set is only available for Microsoft Premier Customers
11 Architecture and data flow of the BPA
The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline
Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the
configuration analysis and reporting output from MBCA
The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA
Engine and the MBCA UI
The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA
Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during
CSS Rules Advice
and Manifests
SQL Server 2008 R2 Best
Practice Analyzer
SQL 2008 Setup
Policy Based Management
SCOM SQL MP
SQLRAP
Page 7
discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs
etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is
performed using the Schematron file This file run by the MBCA engine contains the logic for
evaluating the best practices The final step following the evaluation process is the report generation ndash
which is shown in the MBCA UI
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer
12 Microsoft Best Practice Analyzer Universe
Microsoft offers many technologies and utilities to produce best practices recommendations
121 SQL Server BPA (older versions)
Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
122 Windows Server 2008 R2 Best Practice Analyzer
In Windows management best practices are guidelines that are considered the ideal way under
typical circumstances to configure a server as defined by experts For example it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers and block unused ports Although best practice
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 5
1 INTRODUCTION
The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs
the following functions
Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2
that is installed on that server
Determines if the configurations are set according to the Microsoft recommended best
practices
Reports on all configurations indicating settings that differ from recommendations
Indicates potential problems in the installed instance of SQL Server
Recommends solutions to potential problems
This tool is used by IT Professionals and Database Administrators to help ensure that their installations
of SQL Server and associated products components are adhering to best practices as determined by
the SQL Server Product Teams and CSS This utility scans the installation of a local or remote
machine gathering system data from WMI log files the Event Log the Windows Registry and SQL
Server metadata and compares the results to predefined standards It then produces a report that
shows the results and points the user to additional information on the web to help them determine
whether they should make changes to their systems
For every configuration the SQL Server 2008 R2 BPA provides the following results
Compliance results are returned when an instance of SQL Server satisfies the conditions of a
Best Practices rule Non-compliance results are returned when an instance of SQL Server
does not satisfy the conditions of a Best Practices rule
Impact of non-compliance
Recommendation
Links to more detailed information and related topics
To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a
couple of products ndash depending on specific purpose of the Software The following diagram illustrates
the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in
parallel or in combination with BPA
Page 6
The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and
products
So you will find a couple of policies in our monitoring solution
SQL Server 2008 R2 Best Practice Analyzer
within more than 140 rules for database engine and other technologies
System Center Operations Manager (SCOM)
within the SQL Management pack (current version 6131436 release date 08172010)
with more than 300 rules and 50 additional monitors
Policy Based Management in SQL Server 2005 and 2008
with predefined policy collection (50+ policies)
There is a whitepaper about PBM here
System Configuration Checker in the SQL Server 2008 setup wizard
The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more
than 200 rules This offering is meant for Premier customers running the SQL RAP against
their most business critical SQL instances
Note This tool set is only available for Microsoft Premier Customers
11 Architecture and data flow of the BPA
The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline
Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the
configuration analysis and reporting output from MBCA
The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA
Engine and the MBCA UI
The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA
Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during
CSS Rules Advice
and Manifests
SQL Server 2008 R2 Best
Practice Analyzer
SQL 2008 Setup
Policy Based Management
SCOM SQL MP
SQLRAP
Page 7
discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs
etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is
performed using the Schematron file This file run by the MBCA engine contains the logic for
evaluating the best practices The final step following the evaluation process is the report generation ndash
which is shown in the MBCA UI
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer
12 Microsoft Best Practice Analyzer Universe
Microsoft offers many technologies and utilities to produce best practices recommendations
121 SQL Server BPA (older versions)
Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
122 Windows Server 2008 R2 Best Practice Analyzer
In Windows management best practices are guidelines that are considered the ideal way under
typical circumstances to configure a server as defined by experts For example it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers and block unused ports Although best practice
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 6
The big picture ndash automated Best Practices of SQL Server checks offered in different flavours and
products
So you will find a couple of policies in our monitoring solution
SQL Server 2008 R2 Best Practice Analyzer
within more than 140 rules for database engine and other technologies
System Center Operations Manager (SCOM)
within the SQL Management pack (current version 6131436 release date 08172010)
with more than 300 rules and 50 additional monitors
Policy Based Management in SQL Server 2005 and 2008
with predefined policy collection (50+ policies)
There is a whitepaper about PBM here
System Configuration Checker in the SQL Server 2008 setup wizard
The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more
than 200 rules This offering is meant for Premier customers running the SQL RAP against
their most business critical SQL instances
Note This tool set is only available for Microsoft Premier Customers
11 Architecture and data flow of the BPA
The SQL Server 2008 R2 Best Practices Analyzer is an additional ldquomodelrdquo for the Microsoft Baseline
Configuration Analyzer V20 (MBCA) A model is a set of component files that together comprise the
configuration analysis and reporting output from MBCA
The MBCA is imbedded as a PowerShell cmdlet and consists of two major components the MBCA
Engine and the MBCA UI
The MBCA Engine process itself consists of 2 main activities evaluation and discovery The MBCA
Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during
CSS Rules Advice
and Manifests
SQL Server 2008 R2 Best
Practice Analyzer
SQL 2008 Setup
Policy Based Management
SCOM SQL MP
SQLRAP
Page 7
discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs
etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is
performed using the Schematron file This file run by the MBCA engine contains the logic for
evaluating the best practices The final step following the evaluation process is the report generation ndash
which is shown in the MBCA UI
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer
12 Microsoft Best Practice Analyzer Universe
Microsoft offers many technologies and utilities to produce best practices recommendations
121 SQL Server BPA (older versions)
Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
122 Windows Server 2008 R2 Best Practice Analyzer
In Windows management best practices are guidelines that are considered the ideal way under
typical circumstances to configure a server as defined by experts For example it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers and block unused ports Although best practice
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 7
discovery The discovery activity interrogates the SQL Server Registry WMI Error- and Event-Logs
etc The output is saved in an XML File which is then used in the evaluation activity Evaluation is
performed using the Schematron file This file run by the MBCA engine contains the logic for
evaluating the best practices The final step following the evaluation process is the report generation ndash
which is shown in the MBCA UI
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer
12 Microsoft Best Practice Analyzer Universe
Microsoft offers many technologies and utilities to produce best practices recommendations
121 SQL Server BPA (older versions)
Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
122 Windows Server 2008 R2 Best Practice Analyzer
In Windows management best practices are guidelines that are considered the ideal way under
typical circumstances to configure a server as defined by experts For example it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers and block unused ports Although best practice
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 8
violations even crucial ones are not necessarily problematic they indicate server configurations that
can result in poor performance poor reliability unexpected conflicts increased security risks or other
potential problems
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Serverreg 2008 R2 BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2 and reporting best practice violations
to the administrator Administrators can filter or exclude results from BPA reports that they do not have
to see Administrators can also perform BPA tasks by using either the Server Manager GUI or
Windows PowerShell cmdlets
BPA can also be used on remote servers that are running Windows Server 2008 R2 by using Server
Manager targeted at a remote server For more information about how to run Server Manager targeted
at a remote server see Remote Management with Server Manager
The following BPA modules are currently available
Best Practices Analyzer for Active Directory Certificate Services
Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here
123 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage
httpsupportmicrosoftcomfixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer
httpfixitcentersupportmicrosoftcomPortal
124 Microsoft Automated Troubleshooting Service in Windows Server
2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer such as problems
with networking hardware and devices using the web and program compatibility
Go to the Windows website to watch a video about using troubleshooters to fix common problems
(330)
When you run a troubleshooter it might ask you some questions or reset common settings as it works
to fix the problem If the troubleshooter fixed the problem you can close the troubleshooter If it couldnt
fix the problem you can view several options that will take you online to try and find an answer In
either case you can always view a complete list of changes made
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 9
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box the troubleshooter displays a list of fixes to choose from if any
problems are found
Windows includes several troubleshooters and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting
httpsupportmicrosoftcomgpsystem_maintenance_for_windows
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 10
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems
1 Windows Vista
2 Windows 7
3 Windows Server 2003
4 Windows Server 2003 R2
5 Windows Server 2008
6 Windows Server 2008 R2
Supported editions of SQL Server
1 SQL Server 2008 all editions except Express
2 SQL Server 2008 R2 all editions except Express
Supported Components of SQL Server
1 Analysis Services
2 Database Engine
3 Integration Services
4 Reporting Services
5 Replication
6 Setup
These components are designed as Submodels for the BPA This means that they will be run
concurrently where possible
21 Required Permissions for Running SQL Server 2008 R2 BPA
Administration Privileges
To run MBCA v20 a user must be a member of the administrators group on the machine being
scanned and on the machine the scan is initiated from If a user is not an administrator on the machine
that is being scanned an appropriate error message displays
SQL Server
To successfully access all of the database properties and SQL Server Configurations a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance
httpmsdnmicrosoftcomen-uslibraryms174561aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles
httpmsdnmicrosoftcomen-uslibraryms141053aspx
Reporting Services
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 11
The user or the administrators group must be member of the System Administrator and Content
Manager role
22 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer
1 PowerShell V20
Windows PowerShell 20 requires the Microsoft NET Framework 20 with Service Pack 1
2 Microsoft Baseline Configuration Analyzer V20
3 SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities components by Operating System
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA
OS 1Install
WinRM
2Install
PowerShell 20
3Install
MBCA 20
Configure PowerShell1 7 Install SQL2008
or SQL 2008 R2
Management Tools 4Remoting 5Execution
Level
6 MaxShells
PerUser
Win Vista Y Y Y Y Y Y Y
Windows 7 N N Y Y Y Y Y
Windows
Server 2003
Y Y Y Y Y Y Y
Windows
Server 2003
R2
Y Y Y Y Y Y Y
Windows
Server 2008
Y Y Y Y Y Y Y
Windows
Server 2008
R2
N N Y Y Y Y Y
1 These changes will be done from the installation routine of the BPA
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 12
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure It is also possible to install this
tool on the production SQL Server locally
Installation process
1 InstallConfigure PowerShell and WinRM
2 Microsoft Baseline Configuration Analyzer V20
3 Microsoftreg SQL Serverreg 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer
With a graphical user interface (setup wizard) or
Command line
31 Installing PowerShell 20 and WinRM
BPA install configures WinRM and PowerShell options by default Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand
Windows Server 2003 R2
WinRM is not installed by default but it is available as the Hardware Management feature through the
AddRemove System Components feature in the Control Panel under Management and Monitoring
Tools Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction which describes the WinRM and the
IPMI features in Windows Server 2003 R2
On Windows Vista Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core The WinRM service starts
automatically on Windows Server 2008 On Windows Vista the service must be started manually
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS
Note Check for additional information and configuration guidelines for WinRM and for PowerShell
20
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers Therefore in
both the local and remote cases it required that your PowerShell settings be modified These are done
by the BPA installation
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default To run SQL Server 2008 R2 BPA
through the PowerShell command Line set the policy to RemoteSigned using the below command
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted ndashf to set the execution policy back to
restricted This command is not required when executing the scan through the MBCA GUI
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled You need to run this
command only once on each computer that will receive commands You do not need to run it on
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 13
computers that only send commands Because the configuration activates listeners it is prudent to run
it only where it is needed You can do this with the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Enable-
PSRemoting -force
Enable-PSRemoting performs configuration actions to enable this machine for remote management
Includes
1 Runs the Set-WSManQuickConfig cmdlet which performs the following tasks
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the MicrosoftPowerShell session configuration if it is not already registered
Registers the MicrosoftPowerShell32 session configuration on 64-bit computers if it is
not already registered
Removes the Deny Everyone setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2 Configures MaxShellsPerUser using winrm set winrmconfigwinrs
``MaxShellsPerUser=`10``
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer If this policy setting is enabled the user will not be able to open new
remote shells if the count exceeds the specified limit If this policy setting is disabled or is
not configured the limit will be set to 5 remote shells per user by default and you receive
the following error message
[localhost] Connecting to remote server failed with the following
error message The WS-Management service cannot process the
request This user is allowed a maximum number of 5 concurrent
shells which has been exceeded Close existing shells or raise the
quota for this user For more information see the
about_Remote_Troubleshooting Help topic
+ CategoryInfo OpenError
(SystemManagemehellipRemoteRunspa
ceRemoteRunspace) [] PSRemotingTransportException
+ FullyQualifiedErrorId PSSessionOpenFailed
For more information about PowerShell remoting please see MSDN
32 Install MBCA
Download the edition of MBCA depending on your platform (x86 or x64) before installation
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 14
Please find below the screenshots demonstrating the visual flow of the MBCA Installation
Welcome screen
License terms
Folder selection
Completion screen
33 Install BPA
Download the correct edition depending on your platform (x86 or x64) before installing If you have
trouble with the installation please section 57 Troubleshooting Installation
331 Command line
Following is an optimized command line setup example
msiexec i SQL2008R2BPA_Setup64msi l log ctempsqlbpa_installlog qn
msiexec parameters
i = package name (SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform)
l = log granularity ldquordquo - Log all information except for v and x options
log = log file
q = display settings (qn ndash no user interface)
SKIPCA=1 (if no domain controller is available Skip Certification Authority)
For information on additional public properties Consult the Windowsreg Installer SDK for documentation
on the command line syntax
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 15
332 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation
Welcome screen
License terms
System Configuration Changes (see 31 Installing PowerShell 20 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 16
333 Port and Firewall restrictions
For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports
34 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server
2008 R2 Best Practice Analyzer Please visit the Download site from Microsoft regularly to find new
updates
35 Uninstall
351 BPA
352 MBCA
353 Reset PowerShell settings
After the uninstall of the BPA you may disable the PowerShell remote scripting You can do this with
the following command line
powershellexe -NoLogo -NoProfile -Noninteractive -Command Disable-
PSRemoting -force
Disable-PSRemoting performs configuration actions to enable this machine for remote management
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 17
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA They are
Scanning through the local machine
o In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan
o This scan can be of the local or an alternate server
Scanning through a remote machine
o In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it
o This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine
41 Help file
The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information This
help file is available after the installation of BPA and is located at Start-gtAll programs-gtSQL Server
2008 R2 BPA
42 GUI
1 Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine
2 Run the MBCA application from the start menu with elevated user rights
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 18
3 On the MBCA home page ensure the SQL Server 2008 R2 BPArdquo product is selected
4 Click Start Scan which displays a page to specify parameters as shown below
5 Fill in Alternate_Server_to_Scan with the remote machine you want to scan
ComputerName
IP address nnnn
FQDN (Fully Qualified Domain Name)
Enter ldquordquo localhost or leave this blank if you want to scan the local machine
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 19
Enter the instance name you want to scan To scan the default instance enter MSSQLSERVER
or leave this as blank Toggle the checkboxes to enabledisable scans for those rule categories
Each of the following six check boxes correspond to the SQL Server categories listed previously
Select at least one category in order to run a successful scan
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note Only one SQL Server instance can be scanned at a time through the MBCA GUI
6 Click Start Scan MBCA will start the configured scan and display the below page while in
progress
7 When the scan is complete results will be displayed grouped by Severity as shown below
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 20
43 Connect to a remote computer
A scan connected to a remote computer is different than scanning an alternate server
ldquoConnect to a Remote Computerrdquo is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server from the console of the client The client needs to
have MBCA installed but does not need BPA as it is literally running the copy of MBCA installed on the
server using the BPA installed on the server In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server
To use this functionality you first start MBCA on the client computer and select ldquoConnect to Another
Computerrdquo
1 In the ldquoConnect to Another Computerrdquo text box you can specify a NetBIOS name a fully qualified
domain name (FQDN) or an IPv4 or IPv6 address If no port number is specified the default port
number is used The following are examples of formats that you can specify in the Connect to
Another Computer text box
ComputerName
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 21
ComputerNamePortNumber
IP address nnnn
IPv6 address [nnnnnnnn]
IPv4 address with port number nnnnPortNumber
IPv6 address with port number [nnnnnnnn]PortNumber
Note If an administrator has changed the computerrsquos default port number any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port Port
5985 is opened by default when WinRM is configured All other ports remain blocked until opened
For more information about how to unblock a port in Windows Firewall see the Help for Windows
Firewall For more information about how to configure WinRM in a Command Prompt session type
winrm help and then press Enter
2 Additionally you must supply credentials
3 CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication CredSSP enables an application to delegate the
userrsquos credentials from the client computer to the target server
CredSSP authentication is intended for environments where Kerberos delegation cannot be used
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine such as a file share
Note WinRM clients and servers will support CredSSP authentication only with explicit credentials
Windows XP Windows Server 2003 and earlier CredSSP is not supported
First you must set CredSSP on both the client and the server
Using the Group Policy Editor (gpeditmsc) make sure to enable ldquoAllow Delegating Fresh
Credentialsrdquo and check ldquoConcatenate OS defaults with input aboverdquo
Add the server or domain to the list of servers in the format ldquoWSMANdomainnamecomrdquo
Next enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions Note
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 22
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer
Enable PowerShell Remoting
o Enable-psremoting ndashf
Settings for a client
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP ndashrole Client ndashDelegateComputer [FQDN OF SERVER]
Settings for the server
o Enable-WSManCredSSP ndashrole Server
o set-item WSManlocalhostShellMaxMemoryPerShellMB ndashValue 20000
o set-item WSManlocalhostShellMaxShellsPerUser ndashvalue 20
44 PowerShell
Details see 91 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
441 Run Scan
To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
servername -SQL_Server_Instance_Name instancename -
Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication -
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 23
Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services -
Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part
ModelId SQL2008R2BPA
SubModelId
Success True
ScanTime
Success = True is important This is the indicator that your scan was successful
Parameter description
-Alternate_Server_to_scan servername
-SQL_Server_Instance_Name instancename
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI
The scans of the different services are optional You can remove technologies which you do not need
to scan
The next example starts the scan only for the Analysis Services on the alternate server ldquoservernamerdquo
and for the named instance ldquoinstancerdquo A log file will be written to ldquoctempssastxtrdquo
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices -
ComputerName servername -SqlServerInstance instance -SSASLogFile
ctempssastxt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
computername -SqlServerInstance servername -CurrentLoginName
($EnvUSERDOMAIN + + $EnvUSERNAME)ToString() -EngineLogFile
ctempenginetxt ndashRepositoryPath (CTEMPSQL2008 + (Get-
Date)ToString(yyyyMMdd))ToString()
442 Create Report
model = get-MbcaModel ndashModelId sql2008r2bpa
$scanResult = get-MbcaResult ndashModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ndashModelId sql2008r2bpa ndash
CollectedConfiguration
$model $scanResult $collectedConfig | export-CliXml ctempasxml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path ctesthtml
The next command retrieves the results of the most recent BPA scan for the specified model and
saves them in HTML format applying the standard cascading style sheets that are stored in the path
windirsystem32WindowsPowerShellv10ModulesBestPracticesBestPracticesReportFormatc
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 24
ss If you want to substitute cascading style sheets provide the path to the different cascading style
sheets
Get-MBCAResult -ModelId SQL2008R2BPA | $_Severity -eq Warning -or
$_Severity -eq Error | ConvertTo-Html -As Table -property ResultNumber
SubModelID ComputerName Severity Category Title Problem Impact
Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice Analyzer
Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
$envcomputernameltPgt -post For details contact Microsoft Premier-
CssUri $env BestPracticesReportFormatcss gt ctempsql2008r2bpahtm
443 Exporting and opening reports by using Get-MBCAResult
You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future either by using Get-MBCAResult or by using the
MBCA GUI Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance
Example of exporting to XML
$results = Get-MBCAResult ltModel Idgt
$collectedconfig = Get-MBCAResult ltModel Idgt -CollectedConfiguration
$results $collectedconfig | Export-CliXml cexportxml
Example of opening archived XML report file
$loadedResults $loadedConfiguration = Import-CliXml cexportxml
444 Report Result Directory
The reporting result path
AppDataMicrosoftBaselineConfigurationAnalyzer
2ReportsSQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command
Solution save older results before you start the check
copy-item -path ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports)ToString() -
destination ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2Reports_ + (Get-
Date)ToString(yyyyMMddhhmmss))ToString() ndashrecurse
Afterwards you can create a report with the following command
$prevrepPath = (Get-ChildItem ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2)ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA ndashRepositoryPath ($EnvLocalAppdata +
MicrosoftMicrosoftBaselineConfigurationAnalyzer 2rdquo +
$prevrepPathname)ToString() | ConvertTo-Html -As Table -property
ResultNumberSubModelID ComputerName Severity Category Title Problem
Impact Resolution Help -Head lth1gtSQL Server 2008 (R2) Best Practice
Analyzer Reportlth1gtrdquo -Title SQL Server 2008 Best Practice Analyzer -body
(ltpgtReport creation date + (Get-Date)ToString(ddMMyyyy hhmmss) +
ltpgt)toString() -pre ltPgtGenerated by user $envusername on computer
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 25
$envcomputernameltPgt -post For details contact Microsoft Premier gt
ctempsql2008r2bpahtm
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 26
5 TROUBLESHOOTING
51 Application directories
To following directories are used by MBCA
Report output directory localappdataMicrosoftMicrosoftBaselineConfigurationAnalyzer 2ReportsSQL2008R2BPAResults
Model configuration path ProgramdataMicrosoftMicrosoft Baseline Configuration Analyzer 2ModelsSQL2008R2BPA
Temp and log files directory tempSQL2008R2BPASQL2008ltdategt_lttimegt
Registry [HKEY_LOCAL_MACHINESOFTWAREMicrosoftBaselineConfigurationAnalyzer]
Log Files
During Data Discovery SQL Server 2008 R2 BPA creates log files for troubleshooting The log file
contains the following information
Pre-requisite validation
Timestamp finished rules start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location
For every scan log files are created in userrsquos Local Temp directory (Temp) and follows the folder
structure SQL2008R2BPAlt Instance Name gtlt datestamp_timestamp gtlt Log files gt
Note In case of a remote scan the category log files are generated on the remote system at the same
path whereas the common log file is generated in the local system
Log Files Structure
A common log file gets generated and contains information about each categorys execution Apart
from this each category has its own log file which details the rule execution The names of the log files
are given below
Common File - ModelLogtxt
Engine Rules - EngineLogtxt
Replication Rules - ReplicationLogtxt
Setup Rules - SetupLogtxt
Analysis Services Rules - AnalysisServicesLogtxt
Reporting Services Rules - ReportingServicesLogtxt
Integration Services Rules - IntegrationServicesLogtxt
52 Windows Server 2003 ndash NumberOfLogicalProcessors
Analysis Services RID2803 and RID2804 ndash NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003 It has been implemented in the hotfix
httpsupportmicrosoftcomkb932370
Both of the rules below will function properly if you apply this hotfix For more information look here
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 27
53 MBCA
This message indicates that on prerequisite is not installed
Please install the version 2 of the MBCA
54 Where can I find the Instance name in result set of the analyzer
report
The instance name is in the collected data option of the analyzer report in the BPA GUI
55 Memory limit of remote PowerShell process
By default remote PowerShell process can consume only 150 MB or less memory This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates Any application or Cmdlet which is involved in PowerShell
remoting should be tested for this memory limit this may cause some of the command to fail for
example site collection creation
Solution Increase the memory limit for the remote shell Use the following command to increase this
limitation to 1000MB This is only necessary if you need to run those commands on that server
Set-Item WSManlocalhostShellMaxMemoryPerShellMB 1000
56 Remote connect
If you try to ldquoConnect to another computerrdquo from MBCA and you receive the following message
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 28
You should check first if the Hotfix KB968930 is installed
Afterwards validate that the ldquoWindows Remote Managementrdquo service is started
Enable-PSRemoting
If CredSSP is unsupported or unavailable you will see the following message
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 29
If you have no permission to access the remote server you get the error message
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 30
57 Installation
571 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 20 MBCA NET Framework) you may hit
one of two scenarios when installing BPA
In all of the cases of an install failure you will see the following error
There is a problem with this Windows Installer package A program run as part of the setup did not
finish as expected Contact your support personnel or package vendor
In your Application Event Log for both of these scenarios you will also see the following entry
Log Name Application
Source MsiInstaller
Date 6102010 83818 AM
Event ID 11722
Task Category None
Level Error
Keywords Classic
User ltUsernamegt
Computer ltMachine namegt
Description
Product Microsoft SQL Server 2008 R2 BPA -- Error 1722 There is a problem
with this Windows Installer package A program run as part of the setup did
not finish as expected Contact your support personnel or package
vendor Action EnablePSRemoting location powershellexe command -NoLogo
-NoProfile -Command Enable-PSRemoting ndashforce
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 31
This is an indicator that PowerShell is not configured You must run the following command
powershellexe -NoLogo -NoProfile -Command Enable-PSRemoting ndashforce
572 Workgroup or Non-Domain computer
In this scenario the Enable-PSRemoting command should execute fine from a PowerShell prompt
The actual error coming back from the PowerShell command within the Installer is ldquoAccess Deniedrdquo
To work around this issue you can do the following
1 Open a command prompt with Administrative Privileges
2 Change to the directory where the msi file resides
3 Type msiexec i ltMSI Namegt SKIPCA=1
4 MSI Name will either be SQL2008R2BPA_Setup32msi or SQL2008R2BPA_Setup64msi
depending on your platform
5 Once BPA is installed open a PowerShell prompt with Administrative Privileges
6 Execute the following commands
a Enable-PSRemoting
b winrm set winrmconfigwinrs ``MaxShellsPerUser=`10``
This should allow BPA to be successfully installed in the workgroup scenario
573 Kerberos Failure
This scenario is that you are failing with the above due to a Kerberos issue This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos As a
result it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context You may have an HTTP SPN that resides on a different account with that
host name For example if you are running an IIS Web Application such as SharePoint or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System If your URL of your application matches the machine name then your HTTP
SPN will be the same Thatrsquos where this problem comes in WinRM will stop working at that point and
give you a message similar to the following
Set-WSManQuickConfig WinRM cannot process the request The following error
occured while using Negotiate authentication An unknown security error
occurred
Possible causes are
-The user name or password specified are invalid
-Kerberos is used when no authentication method and no user name are
specified
-Kerberos accepts domain user names but not local user names
-The Service Principal Name (SPN) for the remote computer name and port
does not exist
-The client and remote computers are in different domains and there is no
trust between the two domains
After checking for the above issues try the following
-Check the Event Viewer for events related to authentication
-Change the authentication method add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport
Note that computers in the TrustedHosts list might not be authenticated
-For more information about WinRM configuration run the following
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 32
command winrm help config
At line50 char33
+ Set-WSManQuickConfig ltltltlt -force
+ CategoryInfo InvalidOperation () [Set-WSManQuickConfig]
InvalidOperationException
+ FullyQualifiedErrorId
WsManErrorMicrosoftWSManManagementSetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons The one that
we saw in our testing was the HTTP SPN scenario
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine
you have some options First you can follow the steps mentioned above to get BPA installed The
Enable-PSRemoting command will give you the above error You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN
Once BPA is setup you will still not be able to run BPA if you put the HTTP SPN back in place You will
see the following when you attempt to perform a scan
This will occur regardless of which component you try to scan It could be the Engine Setup RS etchellip
One option to perform the scan successfully is to temporarily remove the HTTP SPN again run the
scan and then put the HTTP SPN back in place Another option but one that will probably require
further testing from your applicationrsquos end would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name allowing BPA to run without issue
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 33
6 RULES
Searching for ldquoSQL Server 20087 R2 BPArdquo at Microsoftcom reveals
Here is an example of one of these articles that talks about a rule to check for a recent ldquocleanrdquo
CHECKDB
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 34
BPA works by measuring a rolersquos compliance with best practice rules in eight different categories of a
rolersquos effectiveness trustworthiness and reliability Results of measurements can be any of the three
severity levels described in the following table
Severity level Description
Noncompliant Noncompliant results are returned when a role does not satisfy the conditions of a rule
Compliant Compliant results are returned when a role satisfies the conditions of a rule
Warning Warning results are returned when a role is compliant as operating currently but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings For example a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role because even if no remote connections are
active at the time of the scan not having the license server prevents new remote connections from obtaining valid
client access licenses
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 35
BPA rule categories
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan
Category Name Description
Security Security rules are applied to measure a rolersquos relative risk for exposure to threats such as unauthorized or malicious
users or loss or theft of confidential or proprietary data
Performance Performance rules are applied to measure a rolersquos ability to process requests and perform its prescribed duties in
the enterprise within expected periods of time given the rolersquos workload
Configuration Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally Configuration rules can help prevent setting conflicts that can result in error messages or prevent the role
from performing its prescribed duties in an enterprise
Policy Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for the
role to operate optimally and securely
Operation Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise
Predeployment Predeployment rules are applied before an installed role is deployed in the enterprise to let administrators to
evaluate whether best practices were satisfied before you use the role in production
Postdeployment Postdeployment rules are applied after all required services have started for a role and the role is running in the
enterprise
BPA Prerequisites BPA Prerequisite rules explain configuration settings policy settings and features that are required for the role
before BPA can apply specific rules from other categories A prerequisite in scan results indicates that an incorrect
setting a missing role role service or feature an incorrectly enabled or disabled policy a registry key setting or
other configuration has prevented BPA from applying one or more rules during a scan A prerequisite result does
not imply compliance or noncompliance It means that a rule could not be applied and therefore is not part of the
scan results
61 Engine Rules
Please find below a summary of the 74 Engine Rules with the links to the rule descriptions These rules
are checking that you have a secure resilient and well performing SQL configuration
Authentication Mode (httpsupportmicrosoftcomkb2028697)
Lightweight Pooling is enabled (httpsupportmicrosoftcomkb2160691)
Locks Configuration Not Dynamic (httpsupportmicrosoftcomkb2199576)
non-default network packet size in use (httpsupportmicrosoftcomkb2157175)
degree of parallelism not set to recommended value (httpsupportmicrosoftcomkb2023536)
Use Database Mail instead of SQL Mail (httpsupportmicrosoftcomkb2028584)
SQL Server Agent Proxy Account (httpsupportmicrosoftcomkb2160741)
SQL Login Password Policy Strength and password expiry
(httpsupportmicrosoftcomkb2028712)
Trustworthy Bit (httpsupportmicrosoftcomkb2183687)
Symmetric Keys Check (httpsupportmicrosoftcomkb2162020)
Asymmetric Keys Check (httpsupportmicrosoftcomkb2162020)
SQL Server installed on PDC BDC (httpsupportmicrosoftcomkb2032911)
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 36
SQL Server Admin role membership check (httpsupportmicrosoftcomkb2184138)
Windows API calls intercepted (httpsupportmicrosoftcomkb2033238)
unsupported DotNET framework assemblies present (httpsupportmicrosoftcomkb2033344)
Disk partition starting offset may be incorrect (httpsupportmicrosoftcomkb2023571)
non-default max worker threads value configured (httpsupportmicrosoftcomkb2157129)
Guest Permissions (httpsupportmicrosoftcomkb2186935)
Data and Log files on the same volume (httpsupportmicrosoftcomkb2033523)
IO timeouts and IO controller errors detected (httpsupportmicrosoftcomkb2091098)
IO device errors detected (httpsupportmicrosoftcomkb2091098)
IO errors during page faults detected (httpsupportmicrosoftcomkb2091098)
cluster disk corruption encountered (httpsupportmicrosoftcomkb2091098)
disk defragmentation encountered corruption (httpsupportmicrosoftcomkb2091098)
failed IO requests detected (httpsupportmicrosoftcomkb2091098)
IO requests are successful when retried (httpsupportmicrosoftcomkb2015757)
IO Delay Problems reported by SQL Server (httpsupportmicrosoftcomkb2137408)
This system experienced unexpected shutdowns (httpsupportmicrosoftcomkb2091098)
tempdb corruption errors fix missing (httpsupportmicrosoftcomkb960770)
Critical SQL database inconsistency errors found (httpsupportmicrosoftcomkb2152734)
Logical consistency errors detected (httpsupportmicrosoftcomkb2152472)
Database have auto shrink option enabled (httpsupportmicrosoftcomkb2160663)
SQL Server Error logs are very big (httpsupportmicrosoftcomkb2199578)
incorrect affinity mask settings detected httpsupportmicrosoftcomkb2157114
Very low blocked process threshold setting detected httpsupportmicrosoftcomkb2157154
Potential security issue with legacy DTS stored procedures
httpsupportmicrosoftcomkb2202875
Winsock LSP loaded into SQL httpsupportmicrosoftcomkb2033448
Databases using simple recovery model httpsupportmicrosoftcomkb2137539
User database collation different from model httpsupportmicrosoftcomkb2026108
Database files and backups exist on the same volume httpsupportmicrosoftcomkb2027537
Databases have auto close option enabled httpsupportmicrosoftcomkb2160685
LSI SAS drivers needs update httpsupportmicrosoftcomkb2121098
SQL tempdb database not configured optimally httpsupportmicrosoftcomkb2154845
SQL Database file has sparse attribute set httpsupportmicrosoftcomkb2028447
Invalid startup parameters httpsupportmicrosoftcomkb2028433
MSDTC settings not configured optimally httpsupportmicrosoftcomkb2027550
sql incorrect results fix missing httpsupportmicrosoftcomkb971780
File System needs tuning for better FileStream performance
httpsupportmicrosoftcomkb2160002
linked server memory leak fix missing httpsupportmicrosoftcomkb971622EN-US
Windows service pack is not at recommended level httpsupportmicrosoftcomkb2121098
default extended event health session not in expected state
httpsupportmicrosoftcomkb2160570
TcpSysAndChimneyCheck httpsupportmicrosoftcomKB918483
FDHOST Launcher service is not configured properly httpsupportmicrosoftcomkb2160720
Unrecommended SQL Server Agent service account httpsupportmicrosoftcomkb2160720
A required Windows fix to avoid sparse file related problems is missing
httpsupportmicrosoftcomkb2002606
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 37
Significant Portion of SQL Server Memory Has Been Paged Out
httpsupportmicrosoftcomkb2028324
Server Exception or Hang Detected on Server httpsupportmicrosoftcomkb2028589
Databases exist without CHECKSUM protection httpsupportmicrosoftcomkb2078345
backups outdated for databases httpsupportmicrosoftcomkb2027537
Database consistency check not current httpsupportmicrosoftcomkb2033590
SQL Server Memory settings are incorrect httpsupportmicrosoftcomKB918483EN-US
Autogrow Failed or took a long time httpsupportmicrosoftcomkb2091024
Storport driver fix from KBA 940467 missing httpsupportmicrosoftcomkb2121098
Storport driver fix from KBA 950903 missing httpsupportmicrosoftcomkb2121098
SQLCLR needs additional memory configuration httpsupportmicrosoftcomkb969962EN-US
Operating System files and drivers needs update for working set trimming
httpsupportmicrosoftcomkb2121098
Agent Token Replacement httpsupportmicrosoftcomkb2202637
Auditing Log in failures httpsupportmicrosoftcomkb2187161
Databases with high number of VLF present httpsupportmicrosoftcomkb2028436
Transparent Data Encryption Certificate httpsupportmicrosoftcomkb2201900
Permission on the Binn folder httpsupportmicrosoftcomkb2029023
Index Statistics Are Outdated
Server public permissions httpsupportmicrosoftcomkb2160698
Detected use of older versions of SQLNCLI httpsupportmicrosoftcomkb979779
62 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions
Flight Recorder Enabled for SQL Server Analysis Services
httpsupportmicrosoftcomkb2128005
Excessive amount of memory preallocated to Analysis Services
httpsupportmicrosoftcomkb2027474
Server not configured for optimal concurrent query throughput
httpsupportmicrosoftcomkb2135031
Non standard value detected for Analysis Services memory configuration
httpsupportmicrosoftcomkb2027472
Process Thread Pool Max limit above recommended limit
httpsupportmicrosoftcomkb2134497
Process Thread Pool Minimum is below the recommended limit
httpsupportmicrosoftcomkb2134855
Server is running a build with a known regression httpsupportmicrosoftcomkb2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur httpsupportmicrosoftcomkb2027754
Server is ignoring duplicate key errors httpsupportmicrosoftcomkb2027761
No default member defined for non-aggregatable attribute
httpsupportmicrosoftcomkb2027769
UnknownMember set to hidden httpsupportmicrosoftcomkb2027628
Non-numeric key column for high cardinality attribute httpsupportmicrosoftcomkb2028138
Attribute hiearchy enabled for high cardinality non-key attribute
httpsupportmicrosoftcomkb2028143
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected httpsupportmicrosoftcomkb2132742
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 38
Account or Time attribute types defined in a non-matching dimension type
httpsupportmicrosoftcomkb2157299
An Account or Time dimension has no matching attribute defined
httpsupportmicrosoftcomkb2027418
Dimension has no attribute defined with the same type
httpsupportmicrosoftcomkb2027443
Attribute Dimension type mismatch httpsupportmicrosoftcomkb2157327
Mismatched dimension attribute types detected in dimension
httpsupportmicrosoftcomkb2027459
Possible incorrect order of levels defined in hierarchy httpsupportmicrosoftcomkb2027460
Define attribute relationships as Rigid where possible httpsupportmicrosoftcomkb2027468
Redundant attribute relationships detected httpsupportmicrosoftcomkb2127437
Diamond-shape relationship detected httpsupportmicrosoftcomkb2127570
Non-Standard Attribute Relationship name detected httpsupportmicrosoftcomkb2127862
Proactive Caching set for dimension without a processing query
httpsupportmicrosoftcomkb2027541
No Time dimension detected httpsupportmicrosoftcomkb2027532
More than 3 parent-child dimensions with custom rollups defined
httpsupportmicrosoftcomkb2134431
Encountered a parent-child dimension with more than 500000 members
httpsupportmicrosoftcomkb2131918
Single attribute dimensions detected httpsupportmicrosoftcomkb2141654
Measure groups with zero dimensional overlap detected in cube
httpsupportmicrosoftcomkb2027609
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective
httpsupportmicrosoftcomkb2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
httpsupportmicrosoftcomkb2135112
Measure group defined with no partition httpsupportmicrosoftcomkb2027545
63 RS Rules
RSWindowsNegotiate is missing from your configuration
httpsupportmicrosoftcomkb2145506
HTTP Logging is not enabled httpsupportmicrosoftcomkb2145909
Verbose logging is enabled httpsupportmicrosoftcomkb2146315
NTLM authentication may fail for local httpsupportmicrosoftcomkb2146369
Missing extended protection settings httpsupportmicrosoftcomkb2146062
64 IS Rules
Logging task missing for package httpsupportmicrosoftcomkb2027723
ActiveX Script task detected in package httpsupportmicrosoftcomkb2027712
Unrecommended Integration Services service account detected
httpsupportmicrosoftcomkb2027684
Integration Services logging table found in system database master and or msdb
httpsupportmicrosoftcomkb2027706
Integration Services memory dump detected httpsupportmicrosoftcomkb2027727
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 39
65 Setup Rules
Unsupported Operating System Version Detected httpsupportmicrosoftcomkb2022909
WOW64 not supported for SQL Failover Clustering httpsupportmicrosoftcomkb2157198
Installer cache is missing for the SQL Installation httpsupportmicrosoftcomkb2015100
SQL Server WMI Provider Health Check
66 Replication Rules
Replication Timeout Alerts Type httpsupportmicrosoftcomkb2118349
Replication Pub and Sub out of sync (Data Validation) httpsupportmicrosoftcomkb2118386
Replication Pub and Sub out of sync (Constraint Violations)
httpsupportmicrosoftcomkb2118410
Replication Pub and Sub out of sync (Skipped Transactions)
httpsupportmicrosoftcomkb2194498
Merge Replication Health Check httpsupportmicrosoftcomkb2118445
Subscriptions Approaching Expiration httpgomicrosoftcomfwlinkLinkId=184483
Replication Cleanup and Retention Health Check httpsupportmicrosoftcomkb2118485
Replication Latency Threshold violations httpsupportmicrosoftcomkb2118425
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 40
7 HOW TO DEAL WITH DEVIATIONS
Deviations from these Best Practices may indicate potential issues and configuration changes may be
necessary Make sure you have tested any intended changes in a test environment before deploying
them to a production environment You could also find deviations from Best Practices that are
acceptable or even necessary for your environment For example
SAP has its special Network Packet Size of 8 KB
Existing Non-Microsoft Clients ndash would require Mixed Mode Authentication
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 41
8 MOTIVATION TO USE SQL BPA R2
Bob Ward explained in his Article ldquoWhy use SQL Server 2008 R2 BPA Case 1 Missing Updatesrdquo
the common pitfalls during maintenance and operation of SQL Server and how address them by using
the SQL BPA
In brief itrsquos a customer scenario where the customer is facing an issue after a major update to
SQL2008 After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs Bobs article states the common resulting consequences ndash the involvement of
Microsoft Support and the final solution ndash adding a needed traceflag
The good news in this story is that the customer would not have needed to go to all that effort if they
would have run the SQL BPA It would have told them about the update and instructed them to put the
traceflag in place BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 42
9 ADDITIONAL INFORMATION
91 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$xExportedCommands
The following commands are stored in this module
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax
Get-help ltcommandgt -full
911 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and that are installed on a computer
SYNTAX
Get-MBCAModel [[-ModelId] ltstring[]gt] [[-SubModelId] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer If no parameter is
specified Get-MBCAModel returns all models that are installed on the computer If a model is specified
by using the -ModelId parameter information about the specified model is returned
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
The results of the Get-MBCAModel cmdlet include the following details about models
1 Branding information (manufacturer or company display names version number) that is found in
the model manifest
2 Dynamic parameters that are included with the model
3 Submodels that are included with the model
PARAMETERS
-ModelId ltstring[]gt
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters and targeted at a computer on which MBCA models are installed
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 43
This parameter supports wild card characters
Required false
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters and targeted at a computer on which MBCA models
are installed Not all models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
Examples
Get-MBCAModel
In the preceding example Get-MBCAModel with no parameters added returns details about all MBCA
models that are installed on the computer
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the -
ModelId parameter represented by Model Id
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$modelParameters
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the Parameters property of the model details that were stored in the
$model object returns details about which parameters are supported by the model
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId ltSubModel Idgt
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter represented by SubModel Id Note that the -ModelId parameter is
required by the -SubModelId parameter
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 44
$modelSubModels
In the preceding example Get-MBCAModel returns details about the specified MBCA model that is
represented by Model Id The results of the cmdlet are stored in the variable $model
In the next line of the example the SubModels property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line
912 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer
SYNTAX
Invoke-MBCAModel [-ModelId] ltstringgt -SubModelId ltstringgt [-Authentication
ltAuthenticationMechanismgt] [-CertificateThumbprint ltstringgt] [-ComputerName
ltstring[]gt] [-ConfigurationName ltstringgt] [-Context ltstringgt] [-Credential
ltstringgt] [-Mode ltModeEnumgt] [-Port ltintgt] [-RepositoryPath ltstringgt] [-
ThrottleLimit ltintgt] [-UseSSL] [ltCommonParametersgt]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer The model is specified either by
using the parameter -ModelId or by piping the results of the Get-MBCAModel cmdlet into an Invoke-
MBCAMode cmdlet
After the MBCA scan has been performed the results of the scan are available to be retrieved by Get-
MBCAResult cmdlet
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Authentication ltAuthenticationMechanismgt
Specifies the authentication mechanism that is used to authenticate the users credentials Valid
values include Default Basic CredSSP Digest Kerberos Negotiate and
NegotiateWithImplicitCredential The default value is Default
For more information about the -Authentication parameter type the following and then press
Enter
Get-Help Invoke-Command -Parameter Authentication
Required false
Position named
Default value Default
Accept pipeline input false
Accept wildcard characters false
-CertificateThumbprint ltstringgt
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 45
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action The valid value is the certificate thumbprint of the certificate
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter Valid values include NETBOS names IP addresses or fully-
qualified domain names of one or more computers in a comma-separated list To specify the local
computer type the computer name or localhost
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ConfigurationName ltstringgt
Specifies the session configuration that is used for a new PSSession
Enter a configuration name or the fully-qualified resource URI for a session configuration
Session configuration data is found on the remote computer on which you want to run a cmdlet
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ConfigurationName
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel) For example an administrator might
want to run a scan on the Backend submodel of the SQL model but only those in the context
of a third model a technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 46
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Credential ltstringgt
Specifies a user account that has permission to run this cmdlet The default value is the current
user
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Credential
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Mode ltModeEnumgt
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents or discovery The default is to perform both discovery and analysis or All
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet both discovery and
analysis are performed during a scan
Valid values are Discovery Analysis and All
Required false
Position named
Default value All
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model that you want to scan You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 47
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-Port ltintgt
Specifies the network port on a remote computer on which you want to run a scan The default
value is port 80
For more information on this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter Port
Required false
Position named
Default value 80
Accept pipeline input false
Accept wildcard characters false
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a pathname If the parameter is not used the cmdlet writes
results to the default result repository
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed Not all models have
submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ThrottleLimit ltintgt
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet If you omit this parameter or enter a value of 0 the default value of 32 is used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter ThrottleLimit
Required false
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 48
Position named
Default value 32
Accept pipeline input false
Accept wildcard characters false
-UseSSL [ltSwitchParametergt]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer
By default SSL is not used
For more information about this parameter type the following and then press Enter
Get-Help Invoke-Command -Parameter UseSSL
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceInvokeBpaModelOutputgt
The output object encapsulates the results of the cmdlet that you entered It contains information such
as the MBCA model ID the success or failure of the cmdlet and other details
NOTES
If the cmdlet is used to perform a single-model scan and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location the temporary file is discarded and any
previous scan results file for the role are preserved The message Processing of Invoke-MBCAModel
cancelled by user is displayed if the command is cancelled before existing scan results files are
overwritten
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet and the command is cancelled scans that were completed before the cancel command was
entered cannot be cancelled A scan in progress behaves as described above in the single-model scan
cancellation scenario Subsequent scans in the pipeline are cancelled
If a concurrent scan of the same model is attempted the cmdlet returns the following error message
Another scan for this MBCA model is in progress Only one scan is allowed at a time
-------------------------- EXAMPLE 1 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by ltModel Idgt
-------------------------- EXAMPLE 2 --------------------------
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 49
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name
redmondmicrosoftcom
Description
The preceding example starts an MBCA scan on the model ID that is specified by Model Id
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model (For an example of how to obtain model-specific parameters see the examples for the Get-
MBCAModel cmdlet)
For example to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet
-------------------------- EXAMPLE 3 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan
-------------------------- EXAMPLE 4 --------------------------
Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
ltRepository Pathgt
Description
The preceding example starts an MBCA scan on the model that is represented by Model Id The -
Mode parameter value of Analysis indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter
-------------------------- EXAMPLE 5 --------------------------
Invoke-MBCAModel -Id ltModel Idgt -SubModelId ltSubModel Idgt -ComputerName
ltServergt -Context ltContext Model Idgt -RepositoryPath ltRespository Pathgt -
AsJob -Authentication ltAuthenticatonMechanismgt -Port ltPort Numbergt -UseSSL -
ThrottleLimit ltThrottle Limitgt
Description
The preceding example starts an MBCA scan on the submodel that is represented by SubModel Id
and on the computer that is represented by Server
Because the administrator only wants to see results from the submodel that apply in the context of a
third model the administrator runs the scan within the context of the model ID that is specified in the -
Context parameter The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added the scan runs in the background The -AsJob -
Authentication -Port -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet to perform discovery on a remote computer For more information about
these parameters see the Help for the Invoke-Command cmdlet available in Windows PowerShell V2
913 Get-MBCAResult
SYNOPSIS
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 50
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
SYNTAX
Get-MBCAResult [-ModelId] ltstringgt [[-CollectedConfiguration]] -SubModelId
ltstringgt [-ComputerName ltstring[]gt] [-Context ltstringgt] [-Filter
ltFilterEnumgt] [-RepositoryPath ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model or the configuration data that was used to run a scan
To use the command add the -ModelId parameter and then specify the model ID for which you want
to view the most recent MBCA scan results or collected configuration data If you want to retrieve the
configuration data collected add the -CollectedConfiguration switch parameter
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-CollectedConfiguration [ltSwitchParametergt]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan If this switch parameter is added to Get-MBCAResults
the cmdlet returns only the configuration data that was collected for a scan
Required false
Position 3
Default value
Accept pipeline input false
Accept wildcard characters false
-ComputerName ltstring[]gt
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer To specify the local computer type the
computer name or localhost Multiple values for -ComputerName can be separated by
commas
The -SubModelId parameter is required by the -ComputerName parameter
Valid values for the -ComputerName parameter include localhost a NET BIOS name an IP
address or a fully-qualified domain name (FQDN) of one or more computers in a comma-
separated list
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Context ltstringgt
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 51
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel) For example an administrator might want to display scan results for the
Backend submodel of the SQL model but only those in the context of a third model a
technology that relies upon SQL Server
The -SubModelId parameter is required by the -Context parameter
A model ID is the valid value of the -Context parameter
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-Filter ltFilterEnumgt
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant
Noncompliant or All results Valid values are Noncompliant Compliant or All The default value
is All
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added
Required false
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
-ModelId ltstringgt
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed
Required true
Position 2
Default value
Accept pipeline input true (By Value By Property Name)
Accept wildcard characters False
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer
-RepositoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet obtains
results from the default result repository
Required false
Position named
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 52
Default value
Accept pipeline input false
Accept wildcard characters false
-SubModelId ltstringgt
The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed Not all
models have submodels
The -ModelId parameter is required with the -SubModelId parameter
Required true
Position named
Default value
Accept pipeline input false
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type get-
help about_commonparameters
OUTPUTS
SystemCollectionsGenericListltMicrosoftBestPracticesCoreInterfaceResultgt OR
SystemXmlXmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Results
2 Attempting to get MBCA results for Model Id = 0
3 Completed getting MBCA results for Model Id = 0 Number of Results = 1
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan verbose output can be any of the following
1 Initializing MBCA engine for getting MBCA Configuration Data
2 Attempting to get MBCA collected configuration data for Model Id = 0
3 Completed getting MBCA collected configuration data for Model Id = 0
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group and it does not
start a new scan
Cancellation behaviour
Single Model - To cancel this cmdlet you must press Ctrl+C before the ResultCollection is displayed
on the console The operation is cancelled and results are not displayed on the console
Multiple Models or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models
the cmdlet generates only those results that were displayed on the console before the cancellation
Any subsequent results in the pipeline are cancelled and not displayed
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 53
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -Id SQL2008R2BPA
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id
-------------------------- EXAMPLE 2 --------------------------
Get-MBCAModel | Get-MBCAResult
In the preceding example Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer The results of the Get-MBCAModel cmdlet are piped to the Get-
MBCAResult cmdlet to retrieve the most recent MBCA scan results for all models that are both
supported by MBCA and installed on the computer at which the cmdlet is targeted
-------------------------- EXAMPLE 3 --------------------------
$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$resultDiscoveryDocument
Description
In the preceding example configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by Model Id is
retrieved and stored as a property in the variable $result $resultDiscoveryDocument is of type
SystemXmlXmlDocument
-------------------------- EXAMPLE 4 --------------------------
Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by Model Id and then applies a filter to show only Noncompliant
results
------------------------- EXAMPLE 5 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId Note that the parent model ID must be specified
to use the -SubModelId parameter
------------------------- EXAMPLE 6 --------------------------
Get-MBCAResult SQL2008R2BPA -SubModelId ltSubModel Idgt -ComputerName ltServergt
-Context ltContext Model Idgt -RepositoryPath ltRepository Pathgt
Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the submodel that is represented by SubModelId The parent model ID is provided as required by
the -SubModelID parameter
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by Context Model Id for example only those results from
a SQL Server scan that specifically apply to another technology such as Web Server (IIS)
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 54
The scan results are further narrowed to only those from a computer that is specified in the -
ComputerName parameter as Server and only those results found in the non-default results
repository that is represented by Repository Path
914 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
SYNTAX
Set-MBCAResult [[-Exclude] ltBooleangt] [-Results] ltResultgtgt [[-
RepostitoryPath] ltstringgt] [ltCommonParametersgt]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see
The action specified in the cmdlet (Exclude for example) determines how the existing results of an
MBCA scan are updated Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results
You can apply filters to results that are returned by the Get-MBCAResult cmdlet and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet specifying either to include or exclude
filtered scan results
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights that is Run as Administrator
PARAMETERS
-Exclude ltBooleangt
Excludes scan results from the results collection that were previously obtained by the Get-
MBCAResult command To exclude results by using the -Exclude parameter add the value $true
following the parameter as shown
-Exclude $true
To include results that have been excluded use the $false value for the -Exclude parameter
Required false
Position 2
Default value
Accept pipeline input false
Accept wildcard characters false
-RepostitoryPath ltstringgt
The -RepositoryPath parameter is used to specify a non-default location of the results repository
The valid value for this parameter is a path name If the parameter is not used the cmdlet
modifies results from the default result repository
Required false
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 55
Position 4
Default value
Accept pipeline input false
Accept wildcard characters false
-Results ltResultgtgt
Specifies the result collection to be updated by the Set-MBCAResult cmdlet The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable the variable name is provided as the valid value for the -Results parameter
For example if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer and you want to exclude those
Performance results from the complete collection of scan results you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet
For a more detailed example see the Examples section of the Help for this cmdlet
Required true
Position 3
Default value
Accept pipeline input true (ByValue)
Accept wildcard characters false
ltCommonParametersgt
This cmdlet supports the common parameters Verbose Debug ErrorAction ErrorVariable
WarningAction WarningVariable OutBuffer and OutVariable For more information type ldquoget-
help about_commonparameters
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file the operation is
cancelled and the results file is not modified If cancellation occurs after the results file has been
modified the commands actions are carried out and the command cannot be cancelled
-------------------------- EXAMPLE 1 --------------------------
Get-MBCAResult -ModelId SQL2008R2BPA | Where $_Category -eq
Performance | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example to the left of the first pipe character (|) uses the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by Model Id
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to Performance
The final section of the example following the second pipe character excludes the Performance
results that were filtered by the previous section of the example
-------------------------- EXAMPLE 2 --------------------------
$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
CReposPath | Where $_Category -eq Policy
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 56
Set-MBCAResult -Exclude $true -RepositoryPath CReposPath -Results
$rcPolicy
Description
The first line of the preceding example to the left of the pipe character (|) instructs the Get-
MBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by Specified Model Id from the specified non-default repository path
The second section of the example after the pipe character filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet this
variable can be used in subsequent commands to represent those results
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable In this example the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model and has created the
variable $rcPolicy to represent that subset of results The repository root is specified in the second line
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved
915 MBCA Model Authoring
Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuidedocx
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback
Page 57
Did this paper help you Please give us your feedback Tell us on a scale of 1 (poor) to 5 (excellent)
how would you rate this paper and why have you given it this rating For example
Are you rating it high due to having good examples excellent screen shots clear writing or
another reason
Are you rating it low due to poor examples fuzzy screen shots or unclear writing
This feedback will help us improve the quality of white papers we release
Send feedback