SQL2008R2 BPA Whitepaper v10

SQL Server 2008 (R2) Best Practice Analyzer
SQL Server Technical Article
Writers: Sylvio Hellmann, Gnter Gross, Dana Burnell

Technical Reviewers: Oliver Hahn
Published: September 2010

Applies to: SQL Server 2008 (R2), SQL Server 2008 (R2) Analysis Services, SQL Server 2008 (R2)
Reporting Services, and SQL Server 2008 (R2) Integration Services
Summary:
The Microsoft SQL Server Best Practices Analyzer is a well know tool in the DBA community to validate
if SQL Server installations are adhering with Microsoft recommended best practices.
In the new R2 version the SQL BPA introduces advanced capabilities in conjunction with the
PowerShell architecture and also raises the bar for prerequisites and cross dependencies.
While introducing the new tool to our premier customers in the Banking, Insurance and Productivity
field we received strong positive feedback along with some interesting questions that we will discuss
further in this paper.
Understanding PowerShell, Policy based Management and SQL BPA will empower you to unleash the
full potential of the SQL Server 2008 R2 Best Practices Analyzer (BPA).
Page 1
Table of Contents
1
Introduction........................................................................................................................................ 5
1.1
Architecture and data flow of the BPA........................................................................................... 6
1.2
Microsoft Best Practice Analyzer Universe....................................................................................7
1.2
SQL Server BPA (older versions)............................................................................................. 7
21.
Windows Server 2008 R2 Best Practice Analyzer....................................................................7
31.2
Fix-it......................................................................................................................................... 8
41.2
Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7. .8
System Requirements..................................................................................................................... 10
2.1
Required Permissions for Running SQL Server 2008 R2 BPA....................................................10
2.2
Prerequisites................................................................................................................................ 11
Install................................................................................................................................................. 12
3.1
Installing PowerShell 2.0 and WinRM.......................................................................................... 12
3.2
Install MBCA................................................................................................................................ 13
3.3
Install BPA................................................................................................................................... 14
13.
Command line........................................................................................................................ 14
23.
GUI......................................................................................................................................... 15
3.
Port and Firewall restrictions.................................................................................................. 16
3.4
Updates....................................................................................................................................... 16
3.5
Uninstall....................................................................................................................................... 16
13.5
BPA........................................................................................................................................ 16
23.5
MBCA..................................................................................................................................... 16
3.5
Reset Powershell settings...................................................................................................... 16
Usage................................................................................................................................................ 17
4.1
Help file....................................................................................................................................... 17
4.2
GUI.............................................................................................................................................. 17
4.3
Connect to a remote computer.................................................................................................... 20
4.4
Powershell................................................................................................................................... 22
14.
Run Scan............................................................................................................................... 22
24.
Create Report........................................................................................................................ 23
34.
Exporting and opening reports by using Get-MBCAResult....................................................24
4.
Report Result Directory.......................................................................................................... 24
Troubleshooting............................................................................................................................... 25
Page 2
5.1
Application directories................................................................................................................. 25
5.2
Windows Server 2003 NumberOfLogicalProcessors................................................................25
5.3
MBCA.......................................................................................................................................... 26
5.4
Where can I find the Instance name in result set of the analyzer report......................................26
5.5
Memory limit of remote PowerShell process...............................................................................26
5.6
Remote connect.......................................................................................................................... 26
5.7
Installation................................................................................................................................... 29
15.7
Powershell error..................................................................................................................... 29
25.7
Workgroup or Non-Domain computer....................................................................................30
35.7
Kerberos Failure.................................................................................................................... 30
Rules................................................................................................................................................. 32
6.1
Engine......................................................................................................................................... 34
6.2
ASRules...................................................................................................................................... 36
6.3
RSRules...................................................................................................................................... 37
6.4
ISRules........................................................................................................................................ 37
6.5
SetupRules.................................................................................................................................. 38
6.6
Replication................................................................................................................................... 38
How to Deal With Deviations........................................................................................................... 39
Motivation to use SQL BPA R2........................................................................................................ 40
Additional Information..................................................................................................................... 41
9.1
Powershell................................................................................................................................... 41
19.
Get-MBCAModel.................................................................................................................... 41
29.1
Invoke-MBCAModel............................................................................................................... 43
39.1
Get-MBCAResult................................................................................................................... 48
49.1
Set-MBCAResult.................................................................................................................... 53
59.1
MBCA Model Authoring.......................................................................................................... 55
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Page 3
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious.
No association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred. Complying with all applicable copyright laws
is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
2010 Microsoft Corporation. All rights reserved.

Microsoft, and SQL Server are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Page 4
1 INTRODUCTION
The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs the
following functions:
Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2
that is installed on that server
Determines if the configurations are set according to the Microsoft recommended best
practices
Reports on all configurations, indicating settings that differ from recommendations
Indicates potential problems in the installed instance of SQL Server
Recommends solutions to potential problems
This tool is used by IT Professionals and Database Administrators to help ensure that their installations
of SQL Server and associated products / components are adhering to best practices as determined by
the SQL Server Product Teams and CSS. This utility scans the installation of a local or remote machine
gathering system data from WMI, log files, the Event Log, the Windows Registry, and SQL Server
metadata and compares the results to predefined standards. It then produces a report that shows the
results and points the user to additional information on the web to help them determine whether they
should make changes to their systems.
For every configuration, the SQL Server 2008 R2 BPA provides the following results:
Compliance results are returned when an instance of SQL Server satisfies the conditions of a
Best Practices rule. Non-compliance results are returned when an instance of SQL Server
does not satisfy the conditions of a Best Practices rule.
Impact of non-compliance
Recommendation
Links to more detailed information and related topics
To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a
couple of products depending on specific purpose of the Software. The following diagram illustrates
the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in
parallel or in combination with BPA.
Page 5
The big picture automated Best Practices of SQL Server checks offered in different flavours and
products.
SQL Server
2008 R2
Best
Practice
Analyzer
SQLRAP
CSS
Rules,
Advice,
and
Manifest
s
SCOM SQL
MP
SQL 2008
Setup
Policy
Based
Manageme
nt
So you will find a couple of policies in our monitoring solution
SQL Server 2008 R2 Best Practice Analyzer

within more than 140 rules for database engine and other technologies
System Center Operations Manager (SCOM)
within the SQL Management pack (current version 6.1.314.36, release date: 08/17/2010)
with more than 300 rules and 50 additional monitors
Policy Based Management in SQL Server 2005 and 2008
with predefined policy collection (50+ policies).
There is a whitepaper about PBM here.
System Configuration Checker in the SQL Server 2008 setup wizard
The SQL Risk Assessment Toolset (Premier Organisation best practice flagship) offering more
than 200 rules. This offering is meant for Premier customers running the SQL RAP against
their most business critical SQL instances.
Note: This tool set is only available for Microsoft Premier Customers.
1.1 Architecture and data flow of the BPA

The SQL Server 2008 R2 Best Practices Analyzer is an additional model for the Microsoft Baseline
Configuration Analyzer V2.0 (MBCA). A model is a set of component files that together comprise the
configuration analysis and reporting output from MBCA.
The MBCA is imbedded as a PowerShell cmdlet, and consists of two major components: the MBCA
Engine and the MBCA UI.
The MBCA Engine process itself consists of 2 main activities, evaluation and discovery. The MBCA
Engine is fed by PowerShell discovery Scripts and XML Schema Files which are used during discovery.
The discovery activity interrogates the SQL Server, Registry, WMI, Error- and Event-Logs etc. The
Page 6
output is saved in an XML File which is then used in the evaluation activity. Evaluation is performed
using the Schematron file. This file, run by the MBCA engine, contains the logic for evaluating the best
practices. The final step following the evaluation process is the report generation which is shown in
the MBCA UI.
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer.
1.2 Microsoft Best Practice Analyzer Universe

Microsoft offers many technologies and utilities to produce best practices recommendations.
1.2.1 SQL Server BPA (older versions)

Microsoft has also created BP Analyzers for your older SQL Server versions and for Windows:
SQL Server 2005 Best Practices Analyzer (August 2008)
SQL Server 2000 Best Practices Analyzer (April 2010)
1.2.2 Windows Server 2008 R2 Best Practice Analyzer

In Windows management, best practices are guidelines that are considered the ideal way, under typical
circumstances, to configure a server as defined by experts. For example, it is considered a best
practice for most server technologies to keep open only those ports required for the technologies to
communicate with other networked computers, and block unused ports. Although best practice
violations, even crucial ones, are not necessarily problematic, they indicate server configurations that
Page 7
can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other
potential problems.
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Server 2008 R2. BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2, and reporting best practice violations
to the administrator. Administrators can filter or exclude results from BPA reports that they do not have
to see. Administrators can also perform BPA tasks by using either the Server Manager GUI, or
Windows PowerShell cmdlets.
BPA can also be used on remote servers that are running Windows Server 2008 R2, by using Server
Manager targeted at a remote server. For more information about how to run Server Manager targeted
at a remote server, see Remote Management with Server Manager.
The following BPA modules are currently available:
Best Practices Analyzer for Active Directory Certificate Services

Best Practices Analyzer for Active Directory Domain Services
Best Practices Analyzer for Active Directory Rights Management Services
Best Practices Analyzer for Application Server
Best Practices Analyzer for Domain Name System
Best Practices Analyzer for Dynamic Host Configuration Protocol
Best Practices Analyzer for File Services
Best Practices Analyzer for Hyper-V
Best Practices Analyzer for Internet Information Services
Best Practices Analyzer for Network Policy and Access Services
Best Practices Analyzer for Remote Desktop Services
Best Practices Analyzer for Windows Server Update Services
More Information about Windows BPA look here.
1.2.3 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage.
http://support.microsoft.com/fixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer.
http://fixitcenter.support.microsoft.com/Portal
1.2.4 Microsoft Automated Troubleshooting Service in Windows

Server 2008 R2 and Windows 7
Troubleshooting in Windows Server 2008 R2 and Windows 7 provides several troubleshooting
programs that can automatically fix some common problems with your computer, such as problems
with networking, hardware and devices, using the web, and program compatibility.
Go to the Windows website to watch a video about using troubleshooters to fix common problems.
(3:30)
When you run a troubleshooter, it might ask you some questions or reset common settings as it works
to fix the problem. If the troubleshooter fixed the problem, you can close the troubleshooter. If it couldn't
fix the problem, you can view several options that will take you online to try and find an answer. In
either case, you can always view a complete list of changes made.
Page 8
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box, the troubleshooter displays a list of fixes to choose from, if any
problems are found.
Windows includes several troubleshooters, and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting.
http://support.microsoft.com/gp/system_maintenance_for_windows
Page 9
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems:
1.
2.
3.
4.
5.
6.
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2003 R2
Windows Server 2008
Supported editions of SQL Server

1. SQL Server 2008, all editions, except Express
2. SQL Server 2008 R2, all editions, except Express
Supported Components of SQL Server

1.
2.
3.
4.
5.
6.
Analysis Services
Database Engine
Integration Services
Reporting Services
Replication
Setup
These components are designed as Submodels for the BPA. This means that they will be run
concurrently where possible.
2.1 Required Permissions for Running SQL Server 2008 R2 BPA

Administration Privileges
To run MBCA v2.0, a user must be a member of the administrators group on the machine being
scanned, and on the machine the scan is initiated from. If a user is not an administrator on the machine
that is being scanned, an appropriate error message displays.
SQL Server
To successfully access all of the database properties and SQL Server Configurations, a user must be
the Systems Administrator (sysadmin) on the instance of SQL Server.
Analysis Services
The user or the administrators group must be member of the server administrator role within an
instance of Microsoft SQL Server Analysis Services have unrestricted access to all Analysis Services
objects and data in that instance.
http://msdn.microsoft.com/en-us/library/ms174561.aspx
Integration Services
The user or the administrators group must be members of the sysadmin or db_ssisadmin roles.
http://msdn.microsoft.com/en-us/library/ms141053.aspx
Reporting Services
The user or the administrators group must be member of the System Administrator and Content
Manager role
Page 10
2.2 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer:
1. PowerShell V2.0
Windows PowerShell 2.0 requires the Microsoft .NET Framework 2.0 with Service Pack 1.
2. Microsoft Baseline Configuration Analyzer V2.0
3. SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities / components, by Operating System,
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA.
OS
1.Inst
all
WinR
M
2.Install
PowerShe
ll 2.0
3.Instal
l MBCA
2.0
Configure PowerShell1
4.Remot
ing
5.Execu
tion
Level
6.
MaxShells
PerUser
7. Install
SQL2008 or
SQL 2008 R2
Management
Tools
Win
Vista
Windows
7
Windows
Server
2003
Windows
Server
2003 R2
Windows
Server
2008
Windows
Server
2008 R2
1 These changes will be done from the installation routine of the BPA.
Page 11
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure. It is also possible to install this
tool on the production SQL Server locally.
Installation process:
1. Install/Configure PowerShell and WinRM
2. Microsoft Baseline Configuration Analyzer V2.0
3. Microsoft SQL Server 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer:
With a graphical user interface (setup wizard) or

Command line
3.1 Installing PowerShell 2.0 and WinRM

BPA install configures WinRM, and PowerShell options by default. Most of this section is only needed if
something goes wrong and you need to configure this stuff by hand.
WinRM is not installed by default, but it is available as the Hardware Management feature through the
Add/Remove System Components feature in the Control Panel under Management and Monitoring
Tools. Complete installation and information about configuring WinRM using the WINRM command-line
tool is available online in the Hardware Management Introduction, which describes the WinRM and the
IPMI features in Windows Server 2003 R2.
On Windows Vista, Windows Server 2003 and Windows Server 2008
This is installed as part of Windows Management Framework Core. The WinRM service starts
automatically on Windows Server 2008. On Windows Vista, the service must be started manually.
On Windows Server 2008 R2 and Windows 7
This is installed as part of the OS.
Note: Check for additional information and configuration guidelines for WinRM and for PowerShell 2.0
.
SQL Server 2008 R2 BPA is able to scan both the local computer and remote computers. Therefore, in
both the local and remote cases, it required that your PowerShell settings be modified. These are done
by the BPA installation.
PowerShell Execution Policy
The PowerShell Execution Policy is set to Restricted by default. To run SQL Server 2008 R2 BPA
through the PowerShell command Line, set the policy to RemoteSigned using the below command:
Set-ExecutionPolicy RemoteSigned -f
You can use the command Set-ExecutionPolicy Restricted f to set the execution policy back to
restricted. This command is not required when executing the scan through the MBCA GUI.
After the installation you must enable the PowerShell remote scripting if you are want to use the BPA
remote to another workgroup machine or a computer that have Kerberos enabled. You need to run this
command only once on each computer that will receive commands. You do not need to run it on
Page 12
computers that only send commands. Because the configuration activates listeners, it is prudent to run
it only where it is needed. You can do this with the following command line:
powershell.exe -NoLogo -NoProfile -Noninteractive -Command "EnablePSRemoting -force"
Enable-PSRemoting performs configuration actions to enable this machine for remote management.
Includes:
1. Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks:
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the "Microsoft.PowerShell" session configuration, if it is not already registered
Registers the "Microsoft.PowerShell32" session configuration on 64-bit computers, if it is
not already registered
Removes the "Deny Everyone" setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2. Configures MaxShellsPerUser using "winrm set winrm/config/winrs
`@`{MaxShellsPerUser=`"10`"`}"
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer. If this policy setting is enabled, the user will not be able to open new
remote shells if the count exceeds the specified limit. If this policy setting is disabled or is
not configured, the limit will be set to 5 remote shells per user by default and you receive
the following error message:
[localhost] Connecting to remote server failed with the following
error message : The WS-Management service cannot process the
request. This user is allowed a maximum number of 5 concurrent
shells, which has been exceeded. Close existing shells or raise the
quota for this user. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo
: OpenError:
(System.Manageme.RemoteRunspa
ce:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
For more information about PowerShell remoting, please see MSDN.
3.2 Install MBCA

Download the edition of MBCA depending on your platform (x86 or x64) before installation.
Page 13
Please find below the screenshots demonstrating the visual flow of the MBCA Installation:
Welcome screen
License terms
Folder selection
Completion screen
3.3 Install BPA

Download the correct edition depending on your platform (x86 or x64) before installing. If you have
trouble with the installation please section 5.7 Troubleshooting Installation
3.3.1 Command line

Following is an optimized command line setup example:
msiexec /i SQL2008R2BPA_Setup64.msi /l * /log c:\temp\sqlbpa_install.log /qn
msiexec parameters:
/i = package name (SQL2008R2BPA_Setup32.msi or SQL2008R2BPA_Setup64.msi

depending on your platform)
/l = log granularity * - Log all information, except for v and x options
/log = log file
/q = display settings (qn no user interface)
SKIPCA=1 (if no domain controller is available; Skip Certification Authority)
For information on additional public properties: Consult the Windows Installer SDK for documentation
on the command line syntax.
Page 14
3.3.2 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation:
Welcome screen
License terms
System Configuration Changes (see 3.1 Installing PowerShell 2.0 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 15
3.3.3 Port and Firewall restrictions

For scanning SQL Server or BI instances on an alternate server behind a firewall you must open all
necessary ports.
3.4 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server 2008
R2 Best Practice Analyzer. Please visit the Download site from Microsoft regularly to find new updates.
3.5 Uninstall
3.5.1 BPA
3.5.2 MBCA
3.5.3 Reset PowerShell settings

After the uninstall of the BPA you may disable the PowerShell remote scripting. You can do this with the
following command line:
powershell.exe -NoLogo -NoProfile -Noninteractive -Command "DisablePSRemoting -force"
Disable-PSRemoting performs configuration actions to enable this machine for remote management.
Page 16
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA. They are:
Scanning through the local machine.

o
In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan.
This scan can be of the local or an alternate server.
Scanning through a remote machine.

o
In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it.
This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine.
4.1 Help file

The help file for the SQL Server 2008 R2 Best Practice Analyzer contains very useful information. This
help file is available after the installation of BPA, and is located at Start->All programs->SQL Server
2008 R2 BPA.
4.2 GUI
1. Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine.
2. Run the MBCA application from the start menu, with elevated user rights.
Page 17
3. On the MBCA home page, ensure the "SQL Server 2008 R2 BPA product is selected:
4. Click "Start Scan", which displays a page to specify parameters as shown below:
Page 18
5. Fill in Alternate_Server_to_Scan with the remote machine you want to scan.
ComputerName
IP address: n.n.n.n
FQDN (Fully Qualified Domain Name)
Enter ., localhost, or leave this blank if you want to scan the local machine.
Enter the instance name you want to scan. To scan the default instance, enter MSSQLSERVER
or leave this as blank. Toggle the checkboxes to enable/disable scans for those rule categories.
Each of the following six check boxes correspond to the SQL Server categories listed previously.
Select at least one category in order to run a successful scan.
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note: Only one SQL Server instance can be scanned at a time through the MBCA GUI.
Page 19
6. Click "Start Scan". MBCA will start the configured scan and display the below page while in
progress:
7. When the scan is complete, results will be displayed grouped by Severity as shown below:
4.3 Connect to a remote computer

A scan connected to a remote computer is different than scanning an alternate server.
Connect to a Remote Computer is functionality provided by Microsoft Baseline Configuration Analyzer
and is used to remotely run MBCA against a server, from the console of the client. The client needs to
have MBCA installed, but does not need BPA as it is literally running the copy of MBCA installed on the
server, using the BPA installed on the server. In this case the copy of MBCA installed on the client is
used only to remotely connect to the copy of MBCA installed on the server.
To use this functionality you first start MBCA on the client computer and select Connect to Another
Computer.
Page 20
1. In the Connect to Another Computer text box, you can specify a NetBIOS name, a fully qualified
domain name (FQDN), or an IPv4 or IPv6 address. If no port number is specified, the default port
number is used. The following are examples of formats that you can specify in the Connect to
Another Computer text box.
ComputerName
ComputerName:PortNumber
IP address: n.n.n.n
IPv6 address: [n:n:n:n:n:n:n:n]
IPv4 address with port number: n.n.n.n:PortNumber
IPv6 address with port number: [n:n:n:n:n:n:n:n]:PortNumber
Note: If an administrator has changed the computers default port number, any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port. Port
5985 is opened by default when WinRM is configured. All other ports remain blocked until opened.
For more information about how to unblock a port in Windows Firewall, see the Help for Windows
Page 21
Firewall. For more information about how to configure WinRM, in a Command Prompt session, type
winrm help, and then press Enter.
2. Additionally you must supply credentials
3. CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers. The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication. CredSSP enables an application to delegate the
users credentials from the client computer to the target server.
CredSSP authentication is intended for environments where Kerberos delegation cannot be used.
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine, such as a file share.
Note: WinRM clients and servers will support CredSSP authentication only with explicit credentials.
Windows XP, Windows Server 2003, and earlier: CredSSP is not supported.
First, you must set CredSSP on both the client and the server.
Using the Group Policy Editor (gpedit.msc) make sure to enable Allow Delegating Fresh
Credentials and check Concatenate OS defaults with input above.
Add the server or domain to the list of servers in the format WSMAN/*.domainname.com
Next, enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions. Note:
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer.
Enable PowerShell Remoting

o Enable-psremoting f
Settings for a client
o Enable-WSManCredSSP role Client DelegateComputer [NetBiosNameOfServer]
or
o Enable-WSManCredSSP role Client DelegateComputer [FQDN OF SERVER]
Page 22
Settings for the server

o Enable-WSManCredSSP role Server
o set-item WSMan:\localhost\Shell\MaxMemoryPerShellMB Value 20000
o set-item WSMan:\localhost\Shell\MaxShellsPerUser value 20
4.4 PowerShell
Details see 9.1 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first:
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$x.ExportedCommands
4.4.1 Run Scan

To run a full scan of the BPA on the alternate server on a named instance you can use the following
command line:
Invoke-MBCAModel -ModelId SQL2008R2BPA -Alternate_Server_to_scan
{servername} -SQL_Server_Instance_Name {instancename}
-Analyze_SQL_Server_Engine -Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup -Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services -Analyze_SQL_Reporting_Services
The result looks like this part:
ModelId
: SQL2008R2BPA
SubModelId :
Success
: True
ScanTime
: ...
Success = True is important. This is the indicator that your scan was successful.
Page 23
Parameter description:
-Alternate_Server_to_scan {servername}
-SQL_Server_Instance_Name {instancename}
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI.
The scans of the different services are optional. You can remove technologies which you do not need
to scan.
The next example starts the scan only for the Analysis Services on the alternate server servername
and for the named instance instance. A log file will be written to c:\temp\ssas.txt:
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices
-ComputerName {servername} -SqlServerInstance {instance} -SSASLogFile
c:\temp\ssas.txt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
{computername} -SqlServerInstance {servername} -CurrentLoginName
($Env:USERDOMAIN + "\" + $Env:USERNAME).ToString() -EngineLogFile
c:\temp\engine.txt RepositoryPath ("C:\TEMP\SQL2008" + (GetDate).ToString("yyyyMMdd")).ToString()
4.4.2 Create Report

model = get-MbcaModel ModelId sql2008r2bpa
$scanResult = get-MbcaResult ModelId sql2008r2bpa
$collectedConfig = get-MbcaResult ModelId sql2008r2bpa
CollectedConfiguration
$model, $scanResult, $collectedConfig | export-CliXml c:\temp\as.xml
Get-MBCAResult -ModelId SQL2008R2BPA -SubModelId AnalysisServices |
ConvertTo-Html | Add-Content -Path c:\test.html
The next command retrieves the results of the most recent BPA scan for the specified model, and
saves them in HTML format, applying the standard cascading style sheets that are stored in the path
windir\system32\WindowsPowerShell\v1.0\Modules\BestPractices\BestPracticesReportFormat.c
ss. If you want to substitute cascading style sheets, provide the path to the different cascading style
sheets.
Get-MBCAResult -ModelId SQL2008R2BPA | ?{$_.Severity -eq "Warning" -or
$_.Severity -eq "Error" } | ConvertTo-Html -As Table -property ResultNumber,
SubModelID, ComputerName, Severity, Category, Title, Problem, Impact,
Resolution, Help -Head "<h1>SQL Server 2008 (R2) Best Practice Analyzer
Report</h1> -Title "SQL Server 2008 Best Practice Analyzer" -body
("<p>Report creation date: " + (Get-Date).ToString("dd.MM.yyyy hh:mm:ss") +
"</p>").toString() -pre "<P>Generated by user: $env:username on computer:
Page 24
$env:computername</P>" -post "For details, contact Microsoft Premier."CssUri $env: BestPracticesReportFormat.css > c:\temp\sql2008r2bpa.htm
4.4.3 Exporting and opening reports by using Get-MBCAResult

You can use the Get-MBCAResult cmdlet to export scan results and configuration data to an XML
report that you can open for viewing in the future, either by using Get-MBCAResult, or by using the
MBCA GUI. Exporting reports allows you to compare older scans with more recent scans to measure
the progress of your best practice compliance.
Example of exporting to XML
$results = Get-MBCAResult <Model Id>
$collectedconfig = Get-MBCAResult <Model Id> -CollectedConfiguration
$results, $collectedconfig | Export-CliXml c:\export.xml
Example of opening archived XML report file
$loadedResults, $loadedConfiguration = Import-CliXml c:\export.xml
4.4.4 Report Result Directory

The reporting result path
%AppData%\MicrosoftBaselineConfigurationAnalyzer
2\Reports\SQL2008R2BPAResults
Will be overwritten during each run of the tool or invoke command.
Solution: save older results before you start the check
copy-item -path ($Env:LocalAppdata +
"\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports").ToString()
-destination ($Env:LocalAppdata +
"\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\Reports_" + (GetDate).ToString("yyyyMMddhhmmss")).ToString() recurse
Afterwards you can create a report with the following command:
$prevrepPath = (Get-ChildItem ($Env:LocalAppdata +
"\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2").ToString() -exclude
Reports | Sort-Object name -descending)[0]
Get-MBCAResult -ModelId SQL2008R2BPA RepositoryPath ($Env:LocalAppdata +
"\Microsoft\MicrosoftBaselineConfigurationAnalyzer 2\ +
$prevrepPath.name).ToString() | ConvertTo-Html -As Table -property
ResultNumber,SubModelID, ComputerName, Severity, Category, Title, Problem,
Impact, Resolution, Help -Head "<h1>SQL Server 2008 (R2) Best Practice
Analyzer Report</h1> -Title "SQL Server 2008 Best Practice Analyzer" -body
("<p>Report creation date: " + (Get-Date).ToString("dd.MM.yyyy hh:mm:ss") +
"</p>").toString() -pre "<P>Generated by user: $env:username on computer:
$env:computername</P>" -post "For details, contact Microsoft Premier >
c:\temp\sql2008r2bpa.htm
Page 25
5 TROUBLESHOOTING
5.1 Application directories
To following directories are used by MBCA:
Report output
directory
%localappdata%\Microsoft\MicrosoftBaselineConfigurationAnalyzer
2\Reports\SQL2008R2BPAResults
Model configuration
path
%Programdata%\Microsoft\Microsoft Baseline Configuration Analyzer

2\Models\SQL2008R2BPA
Temp and log files

directory
%temp%\SQL2008R2BPA\SQL2008\<date>_<time>
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BaselineConfigurationAnalyzer
]
Log Files
During Data Discovery, SQL Server 2008 R2 BPA creates log files for troubleshooting. The log file
contains the following information:
Pre-requisite validation
Timestamp finished rule's start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Log Files Location

For every scan, log files are created in users Local Temp directory (%Temp%) and follows the folder
structure: /SQL2008R2BPA/< Instance Name >/< datestamp_timestamp >/< Log files >.
Note: In case of a remote scan, the category log files are generated on the remote system at the same
path, whereas the common log file is generated in the local system.
Log Files Structure
A common log file gets generated and contains information about each category's execution. Apart
from this, each category has its own log file which details the rule execution. The names of the log files
are given below:
Common File - ModelLog.txt

Engine Rules - EngineLog.txt
Replication Rules - ReplicationLog.txt
Setup Rules - SetupLog.txt
Analysis Services Rules - AnalysisServicesLog.txt
Reporting Services Rules - ReportingServicesLog.txt
Integration Services Rules - IntegrationServicesLog.txt
5.2 Windows Server 2003 NumberOfLogicalProcessors

Analysis Services RID2803 and RID2804 NumberOfLogicalProcessors property is unavailable in
Win32_Processor for with Windows Server 2003
Solution: The NumberOfLogicalProcessors property does not exist in the WIN32_PROCESSOR object
in Windows Server 2003. It has been implemented in the hotfix:
http://support.microsoft.com/kb/932370.
Page 26
Both of the rules below will function properly if you apply this hotfix. For more information look here.
5.3 MBCA
This message indicates that on prerequisite is not installed.
Please install the version 2 of the MBCA.
5.4 Where can I find the Instance name in result set of the analyzer
report?
The instance name is in the collected data option of the analyzer report in the BPA GUI.
5.5 Memory limit of remote PowerShell process

By default remote PowerShell process can consume only 150 MB or less memory. This default limit is
significantly small and once this limit is reached there could be a WinRM exception causing and remote
connection immediately terminates. Any application or Cmdlet which is involved in PowerShell remoting
should be tested for this memory limit, this may cause some of the command to fail, for example site
collection creation.
Solution: Increase the memory limit for the remote shell. Use the following command to increase this
limitation to 1000MB. This is only necessary if you need to run those commands on that server.
Set-Item WSMan:localhostShellMaxMemoryPerShellMB 1000
5.6 Remote connect

If you try to Connect to another computer from MBCA and you receive the following message:
Page 27
You should check first if the Hotfix KB968930 is installed.

Afterwards validate that the Windows Remote Management service is started:
Enable-PSRemoting
Page 28
If CredSSP is unsupported or unavailable you will see the following message:
If you have no permission to access the remote server you get the error message:
Page 29
5.7 Installation
5.7.1 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 2.0, MBCA, .NET Framework), you may hit one
of two scenarios when installing BPA.
In all of the cases of an install failure, you will see the following error:
There is a problem with this Windows Installer package. A program run as part of the setup did not
finish as expected. Contact your support personnel or package vendor.
In your Application Event Log, for both of these scenarios, you will also see the following entry:
Log Name:
Application
Source:
MsiInstaller
Date:
6/10/2010 8:38:18 AM
Event ID:
11722
Task Category: None
Level:
Error
Keywords:
Classic
User:
<Username>
Computer:
<Machine name>
Description:
Product: Microsoft SQL Server 2008 R2 BPA -- Error 1722. There is a problem
with this Windows Installer package. A program run as part of the setup did
not finish as expected. Contact your support personnel or package vendor.
Action EnablePSRemoting, location: powershell.exe, command: -NoLogo
-NoProfile -Command Enable-PSRemoting force
Page 30
This is an indicator that PowerShell is not configured. You must run the following command:
powershell.exe -NoLogo -NoProfile -Command Enable-PSRemoting force
5.7.2 Workgroup or Non-Domain computer

In this scenario, the Enable-PSRemoting command should execute fine from a PowerShell prompt. The
actual error coming back from the PowerShell command within the Installer is Access Denied.
To work around this issue you can do the following:
1.
2.
3.
4.
Open a command prompt with Administrative Privileges

Change to the directory where the .msi file resides
Type msiexec /i <MSI Name> SKIPCA=1
MSI Name will either be SQL2008R2BPA_Setup32.msi or SQL2008R2BPA_Setup64.msi
depending on your platform
5. Once BPA is installed, open a PowerShell prompt with Administrative Privileges
6. Execute the following commands
a. Enable-PSRemoting
b. winrm set winrm/config/winrs `@`{MaxShellsPerUser=`"10`"`}
This should allow BPA to be successfully installed in the workgroup scenario.
5.7.3 Kerberos Failure

This scenario is that you are failing with the above due to a Kerberos issue. This particular issue could
actually show up after you have installed BPA depending on how you have configured your
environment.
The issue stems from the fact that the Windows Remoting Windows Service uses the Network Service
account. Windows Remoting also uses SOAP calls over HTTP and defaults to using Kerberos. As a
result, it will be using the HOST Service Principal Name (SPN) that is on the Machine Account as it is
running under that context. You may have an HTTP SPN that resides on a different account with that
host name. For example, if you are running an IIS Web Application such as SharePoint, or if you are
using Reporting Services and the service account is set to a Domain User account instead of Network
Service or Local System. If your URL of your application matches the machine name, then your HTTP
SPN will be the same. Thats where this problem comes in. WinRM will stop working at that point and
give you a message similar to the following.
Set-WSManQuickConfig : WinRM cannot process the request. The following error
occured while using Negotiate authentication: An unknown security error
occurred.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are
specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port
does not exist.
-The client and remote computers are in different domains and there is no
trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the
WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following
command: winrm help config.
Page 31
At line:50 char:33
+
Set-WSManQuickConfig <<<< -force
+ CategoryInfo
: InvalidOperation: (:) [Set-WSManQuickConfig],
InvalidOperationException
+ FullyQualifiedErrorId :
WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons. The one that
we saw in our testing was the HTTP SPN scenario.
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine,
you have some options. First you can follow the steps mentioned above to get BPA installed. The
Enable-PSRemoting command will give you the above error. You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN.
Once BPA is setup, you will still not be able to run BPA if you put the HTTP SPN back in place. You will
see the following when you attempt to perform a scan:
This will occur regardless of which component you try to scan. It could be the Engine, Setup, RS, etc
One option to perform the scan successfully is to temporarily remove the HTTP SPN again, run the
scan, and then put the HTTP SPN back in place. Another option, but one that will probably require
further testing from your applications end, would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name, allowing BPA to run without issue.
Page 32
6 RULES
Searching for SQL Server 20087 R2 BPA at Microsoft.com reveals:
Here is an example of one of these articles that talks about a rule to check for a recent clean
CHECKDB:
Page 33
BPA works by measuring a roles compliance with best practice rules in eight different categories of a
roles effectiveness, trustworthiness, and reliability. Results of measurements can be any of the three
severity levels described in the following table.
Severity level Description
Noncompliant
Noncompliant results are returned when a role does not satisfy the conditions of a rule.
Compliant
Compliant results are returned when a role satisfies the conditions of a rule.
Warning
Warning results are returned when a role is compliant as operating currently, but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings. For example, a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role, because even if no remote connections are
active at the time of the scan, not having the license server prevents new remote connections from obtaining valid
client access licenses.
BPA rule categories
Page 34
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan.
Category Name
Description
Security
Security rules are applied to measure a roles relative risk for exposure to threats such as unauthorized or
malicious users, or loss or theft of confidential or proprietary data.
Performance
Performance rules are applied to measure a roles ability to process requests and perform its prescribed duties in
the enterprise, within expected periods of time given the roles workload.
Configuration
Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent the
role from performing its prescribed duties in an enterprise.
Policy
Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for
the role to operate optimally and securely.
Operation
Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise.
Predeployment
Predeployment rules are applied before an installed role is deployed in the enterprise, to let administrators to
evaluate whether best practices were satisfied before you use the role in production.
Postdeployment
Postdeployment rules are applied after all required services have started for a role, and the role is running in the
enterprise.
BPA Prerequisites BPA Prerequisite rules explain configuration settings, policy settings, and features that are required for the role
before BPA can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect
setting, a missing role, role service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or
other configuration has prevented BPA from applying one or more rules during a scan. A prerequisite result does
not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the
scan results.
6.1 Engine Rules

Please find below a summary of the 74 Engine Rules with the links to the rule descriptions. These rules
are checking that you have a secure, resilient and well performing SQL configuration.
Authentication Mode (http://support.microsoft.com/kb/2028697)

Lightweight Pooling is enabled (http://support.microsoft.com/kb/2160691)
Locks Configuration Not Dynamic (http://support.microsoft.com/kb/2199576)
non-default network packet size in use (http://support.microsoft.com/kb/2157175)
degree of parallelism not set to recommended value (http://support.microsoft.com/kb/2023536)
Use Database Mail instead of SQL Mail (http://support.microsoft.com/kb/2028584)
SQL Server Agent Proxy Account (http://support.microsoft.com/kb/2160741)
SQL Login Password Policy Strength and password expiry
(http://support.microsoft.com/kb/2028712)
Trustworthy Bit (http://support.microsoft.com/kb/2183687)
Symmetric Keys Check (http://support.microsoft.com/kb/2162020)
Asymmetric Keys Check (http://support.microsoft.com/kb/2162020)
SQL Server installed on PDC BDC (http://support.microsoft.com/kb/2032911)
SQL Server Admin role membership check (http://support.microsoft.com/kb/2184138)
Windows API calls intercepted (http://support.microsoft.com/kb/2033238)
unsupported DotNET framework assemblies present (http://support.microsoft.com/kb/2033344)
Disk partition starting offset may be incorrect (http://support.microsoft.com/kb/2023571)
Page 35
non-default max worker threads value configured (http://support.microsoft.com/kb/2157129)

Guest Permissions (http://support.microsoft.com/kb/2186935)
Data and Log files on the same volume (http://support.microsoft.com/kb/2033523)
IO timeouts and IO controller errors detected (http://support.microsoft.com/kb/2091098)
IO device errors detected (http://support.microsoft.com/kb/2091098)
IO errors during page faults detected (http://support.microsoft.com/kb/2091098)
cluster disk corruption encountered (http://support.microsoft.com/kb/2091098)
disk defragmentation encountered corruption (http://support.microsoft.com/kb/2091098)
failed IO requests detected (http://support.microsoft.com/kb/2091098)
IO requests are successful when retried (http://support.microsoft.com/kb/2015757)
IO Delay Problems reported by SQL Server (http://support.microsoft.com/kb/2137408)
This system experienced unexpected shutdowns (http://support.microsoft.com/kb/2091098)
tempdb corruption errors fix missing (http://support.microsoft.com/kb/960770)
Critical SQL database inconsistency errors found (http://support.microsoft.com/kb/2152734)
Logical consistency errors detected (http://support.microsoft.com/kb/2152472)
Database have auto shrink option enabled (http://support.microsoft.com/kb/2160663)
SQL Server Error logs are very big (http://support.microsoft.com/kb/2199578)
incorrect affinity mask settings detected http://support.microsoft.com/kb/2157114
Very low blocked process threshold setting detected http://support.microsoft.com/kb/2157154
Potential security issue with legacy DTS stored procedures
http://support.microsoft.com/kb/2202875
Winsock LSP loaded into SQL http://support.microsoft.com/kb/2033448
Databases using simple recovery model http://support.microsoft.com/kb/2137539
User database collation different from model http://support.microsoft.com/kb/2026108
Database files and backups exist on the same volume http://support.microsoft.com/kb/2027537
Databases have auto close option enabled http://support.microsoft.com/kb/2160685
LSI SAS drivers needs update http://support.microsoft.com/kb/2121098
SQL tempdb database not configured optimally http://support.microsoft.com/kb/2154845
SQL Database file has sparse attribute set http://support.microsoft.com/kb/2028447
Invalid startup parameters http://support.microsoft.com/kb/2028433
MSDTC settings not configured optimally http://support.microsoft.com/kb/2027550
sql incorrect results fix missing http://support.microsoft.com/kb/971780
File System needs tuning for better FileStream performance
linked server memory leak fix missing http://support.microsoft.com/kb/971622/EN-US
Windows service pack is not at recommended level http://support.microsoft.com/kb/2121098
default extended event health session not in expected state
TcpSysAndChimneyCheck http://support.microsoft.com/KB/918483
FDHOST Launcher service is not configured properly http://support.microsoft.com/kb/2160720
Unrecommended SQL Server Agent service account http://support.microsoft.com/kb/2160720
A required Windows fix to avoid sparse file related problems is missing
Significant Portion of SQL Server Memory Has Been Paged Out
Server Exception or Hang Detected on Server http://support.microsoft.com/kb/2028589
Databases exist without CHECKSUM protection http://support.microsoft.com/kb/2078345
backups outdated for databases http://support.microsoft.com/kb/2027537
Database consistency check not current http://support.microsoft.com/kb/2033590
Page 36
SQL Server Memory settings are incorrect http://support.microsoft.com/KB/918483/EN-US

Autogrow Failed or took a long time http://support.microsoft.com/kb/2091024
Storport driver fix from KBA 940467 missing http://support.microsoft.com/kb/2121098
Storport driver fix from KBA 950903 missing http://support.microsoft.com/kb/2121098
SQLCLR needs additional memory configuration http://support.microsoft.com/kb/969962/EN-US
Operating System files and drivers needs update for working set trimming
Agent Token Replacement http://support.microsoft.com/kb/2202637
Auditing Log in failures http://support.microsoft.com/kb/2187161
Databases with high number of VLF present http://support.microsoft.com/kb/2028436
Transparent Data Encryption Certificate http://support.microsoft.com/kb/2201900
Permission on the Binn folder http://support.microsoft.com/kb/2029023
Index Statistics Are Outdated
Server public permissions http://support.microsoft.com/kb/2160698
Detected use of older versions of SQLNCLI http://support.microsoft.com/kb/979779
6.2 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions.
Flight Recorder Enabled for SQL Server Analysis Services

Excessive amount of memory preallocated to Analysis Services
Server not configured for optimal concurrent query throughput
Non standard value detected for Analysis Services memory configuration
Process Thread Pool Max limit above recommended limit
Process Thread Pool Minimum is below the recommended limit
Server is running a build with a known regression http://support.microsoft.com/kb/2157941
Slice not set on a ROLAP partition or a partition where proactive caching is enabled and
ROLAP storage ay occur http://support.microsoft.com/kb/2027754
Server is ignoring duplicate key errors http://support.microsoft.com/kb/2027761
No default member defined for non-aggregatable attribute
UnknownMember set to hidden http://support.microsoft.com/kb/2027628
Non-numeric key column for high cardinality attribute http://support.microsoft.com/kb/2028138
Attribute hiearchy enabled for high cardinality non-key attribute
ROLAP storage or OnlineMode set to immediate for dimension with custom rollup definition
detected http://support.microsoft.com/kb/2132742
Account or Time attribute types defined in a non-matching dimension type
An Account or Time dimension has no matching attribute defined
Dimension has no attribute defined with the same type
Page 37
Attribute Dimension type mismatch http://support.microsoft.com/kb/2157327

Mismatched dimension attribute types detected in dimension
Possible incorrect order of levels defined in hierarchy http://support.microsoft.com/kb/2027460
Define attribute relationships as Rigid where possible http://support.microsoft.com/kb/2027468
Redundant attribute relationships detected http://support.microsoft.com/kb/2127437
Diamond-shape relationship detected http://support.microsoft.com/kb/2127570
Non-Standard Attribute Relationship name detected http://support.microsoft.com/kb/2127862
Proactive Caching set for dimension without a processing query
No Time dimension detected http://support.microsoft.com/kb/2027532
More than 3 parent-child dimensions with custom rollups defined
Encountered a parent-child dimension with more than 500000 members
Single attribute dimensions detected http://support.microsoft.com/kb/2141654
Measure groups with zero dimensional overlap detected in cube
Proactive Caching set for a partition without a processing query
Default measure for perspective not in the perspective http://support.microsoft.com/kb/2027603
Use MOLAP storage for dimensions that participate in semi-additive measure groups
Measure group defined with no partition http://support.microsoft.com/kb/2027545
6.3 RS Rules
RSWindowsNegotiate is missing from your configuration

HTTP Logging is not enabled http://support.microsoft.com/kb/2145909
Verbose logging is enabled http://support.microsoft.com/kb/2146315
NTLM authentication may fail for local http://support.microsoft.com/kb/2146369
Missing extended protection settings http://support.microsoft.com/kb/2146062
6.4 IS Rules
Logging task missing for package http://support.microsoft.com/kb/2027723

ActiveX Script task detected in package http://support.microsoft.com/kb/2027712
Unrecommended Integration Services service account detected
Integration Services logging table found in system database master and or msdb
Integration Services memory dump detected http://support.microsoft.com/kb/2027727
6.5 Setup Rules
Unsupported Operating System Version Detected http://support.microsoft.com/kb/2022909

WOW64 not supported for SQL Failover Clustering http://support.microsoft.com/kb/2157198
Installer cache is missing for the SQL Installation http://support.microsoft.com/kb/2015100
SQL Server WMI Provider Health Check
Page 38
6.6 Replication Rules
Replication Timeout Alerts Type http://support.microsoft.com/kb/2118349

Replication Pub and Sub out of sync (Data Validation) http://support.microsoft.com/kb/2118386
Replication Pub and Sub out of sync (Constraint Violations)
Replication Pub and Sub out of sync (Skipped Transactions)
Merge Replication Health Check http://support.microsoft.com/kb/2118445
Subscriptions Approaching Expiration http://go.microsoft.com/fwlink/?LinkId=184483
Replication Cleanup and Retention Health Check http://support.microsoft.com/kb/2118485
Replication Latency Threshold violations http://support.microsoft.com/kb/2118425
Page 39
7 HOW TO DEAL WITH DEVIATIONS

Deviations from these Best Practices may indicate potential issues, and configuration changes may be
necessary. Make sure you have tested any intended changes in a test environment before deploying
them to a production environment. You could also find deviations from Best Practices that are
acceptable or even necessary for your environment. For example:
SAP has its special Network Packet Size of 8 KB

Existing Non-Microsoft Clients would require Mixed Mode Authentication
Page 40
8 MOTIVATION TO USE SQL BPA R2

Bob Ward explained in his Article Why use SQL Server 2008 R2 BPA? Case 1: Missing Updates... the
common pitfalls during maintenance and operation of SQL Server and how address them by using the
SQL BPA.
In brief its a customer scenario where the customer is facing an issue after a major update to
SQL2008. After some troubleshooting and an update to a certain CU (that is meant to fix the issue) the
problem still occurs. Bobs article states the common resulting consequences the involvement of
Microsoft Support, and the final solution adding a needed traceflag.
The good news in this story is that the customer would not have needed to go to all that effort, if they
would have run the SQL BPA. It would have told them about the update and instructed them to put the
traceflag in place. BPA is a mechanism that proactively advises you and instructs you on dealing with
common known issues.
Page 41
9 ADDITIONAL INFORMATION
9.1 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first:
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$x.ExportedCommands
The following commands are stored in this module:
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
You get help of this command with the following syntax:

Get-help <command> -full
9.1.1 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA), and that are installed on a computer.
SYNTAX
Get-MBCAModel [[-ModelId] <string[]>] [[-SubModelId] <string>] [<CommonParameters>]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer. If no parameter is
specified, Get-MBCAModel returns all models that are installed on the computer. If a model is specified
by using the -ModelId parameter, information about the specified model is returned.
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights; that is, "Run as Administrator."
The results of the Get-MBCAModel cmdlet include the following details about models:
1. Branding information (manufacturer or company, display names, version number), that is found in
the model manifest
2. Dynamic parameters that are included with the model
3. Submodels that are included with the model
PARAMETERS
-ModelId <string[]>
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details. You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters, and targeted at a computer on which MBCA models are installed.
Page 42
This parameter supports wild card characters.

Required?false
Position?
Default value
Accept pipeline input?
true (By Value, By Property Name)
Accept wildcard characters? False

This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer.
-SubModelId <string>
The -SubModelId parameter specifies the ID of the submodel of an MBCA model about which you
want to view details. You can obtain valid values for the -SubModelId parameter by running the
Get-MBCAModel cmdlet without parameters, and targeted at a computer on which MBCA models
are installed. Not all models have submodels.
The -ModelId parameter is required with the -SubModelId parameter.
Required?
false
Position?
Default value
false
Accept wildcard characters? false

<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable,
WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "gethelp about_commonparameters".
Examples
Get-MBCAModel
In the preceding example, Get-MBCAModel, with no parameters added, returns details about all MBCA
models that are installed on the computer.
Get-MBCAModel -ModelId SQL2008R2BPA
The preceding example can be used to return details about the MBCA model that is specified in the
-ModelId parameter, represented by "Model Id."
$model= Get-MBCAModel -ModelId SQL2008R2BPA
$model.Parameters
In the preceding example, Get-MBCAModel returns details about the specified MBCA model that is
represented by "Model Id." The results of the cmdlet are stored in the variable $model.
In the next line of the example, the "Parameters" property of the model details that were stored in the
$model object returns details about which parameters are supported by the model.
Get-MBCAModel -ModelId SQL2008R2BPA -SubModelId <SubModel Id>
The preceding example can be used to return details about the MBCA sub-model that is specified by
the -SubModelId parameter, represented by "SubModel Id". Note that the -ModelId parameter is
required by the -SubModelId parameter.
$model= Get-MBCAModel -ModelId SQL2008R2BPA
Page 43
$model.SubModels
In the preceding example, Get-MBCAModel returns details about the specified MBCA model that is
represented by "Model Id." The results of the cmdlet are stored in the variable $model.
In the next line of the example, the "SubModels" property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line.
9.1.2 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer.
SYNTAX
Invoke-MBCAModel [-ModelId] <string> -SubModelId <string> [-Authentication
<AuthenticationMechanism>] [-CertificateThumbprint <string>] [-ComputerName
<string[]>] [-ConfigurationName <string>] [-Context <string>] [-Credential
<string>] [-Mode <ModeEnum>] [-Port <int>] [-RepositoryPath <string>] [ThrottleLimit <int>] [-UseSSL] [<CommonParameters>]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer. The model is specified either by
using the parameter -ModelId, or by piping the results of the Get-MBCAModel cmdlet into an InvokeMBCAMode cmdlet.
After the MBCA scan has been performed, the results of the scan are available to be retrieved by GetMBCAResult cmdlet.
PARAMETERS
-Authentication <AuthenticationMechanism>
Specifies the authentication mechanism that is used to authenticate the user's credentials. Valid
values include Default, Basic, CredSSP, Digest, Kerberos, Negotiate, and
NegotiateWithImplicitCredential. The default value is Default.
For more information about the -Authentication parameter, type the following, and then press
Enter.
Get-Help Invoke-Command -Parameter Authentication
Required?
false
Position?
named
Default value
Default
false

-CertificateThumbprint <string>
Page 44
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action. The valid value is the certificate thumbprint of the certificate.
For more information about this parameter, type the following, and then press Enter:
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required?
false
Position?
named
Default value
false

-ComputerName <string[]>
The Invoke-MBCAModel cmdlet lets you run an MBCA scan of a submodel on a specific
computer by adding this parameter. Valid values include NETBOS names, IP addresses, or fullyqualified domain names of one or more computers in a comma-separated list. To specify the local
computer, type the computer name, or "localhost".
All formats that are accepted by the -ComputerName parameter in Invoke-Command are
accepted.
Required?
false
Position?
named
Default value
false

-ConfigurationName <string>
Specifies the session configuration that is used for a new PSSession.
Enter a configuration name, or the fully-qualified resource URI for a session configuration.
Session configuration data is found on the remote computer on which you want to run a cmdlet.
For more information about this parameter, type the following, and then press Enter.
Get-Help Invoke-Command -Parameter ConfigurationName
Required?
false
Position?
named
Default value
false

-Context <string>
The -Context parameter lets you run scans on a submodel in the context of a specific model (one
that is different from the parent model of the submodel). For example, an administrator might
want to run a scan on the "Backend" submodel of the "SQL" model, but only those in the context
of a third model, a technology that relies upon SQL Server.
The -SubModelId parameter is required by the -Context parameter.
Page 45
A model ID is the valid value of the -Context parameter.

Required?
false
Position?
named
Default value
false

-Credential <string>
Specifies a user account that has permission to run this cmdlet. The default value is the current
user.
For more information about this parameter, type the following, and then press Enter.
Get-Help Invoke-Command -Parameter Credential
Required?
false
Position?
named
Default value
false

-Mode <ModeEnum>
The -Mode parameter lets you run a scan that is exclusively either analysis of existing discovered
documents, or discovery. The default is to perform both discovery and analysis, or All.
If you do not add the -Mode parameter to the Invoke-MBCAModel cmdlet, both discovery and
analysis are performed during a scan.
Valid values are Discovery, Analysis, and All.
Required?
false
Position?
named
Default value
All
false

-ModelId <string>
The -ModelId parameter specifies the ID of the MBCA model that you want to scan. You can
obtain valid values for the ModelId parameter by running the Get-MBCAModel cmdlet targeted at
a computer on which MBCA models are installed.
Required?
true
Position?
Default value
Page 46
-Port <int>
Specifies the network port on a remote computer on which you want to run a scan. The default
value is port 80.
For more information on this parameter, type the following, and then press Enter.
Get-Help Invoke-Command -Parameter Port
Required?
false
Position?
named
Default value
80
false
Accept wildcard characters?
false
-RepositoryPath <string>
The -RepositoryPath parameter is used to specify a non-default location of the results repository.
The valid value for this parameter is a pathname. If the parameter is not used, the cmdlet writes
results to the default result repository.
Required?
false
Position?
named
Default value
false
false
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan. You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed. Not all models have
submodels.
Required?
true
Position?
named
Default value
false
false
-ThrottleLimit <int>
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet. If you omit this parameter, or enter a value of 0, the default value of 32 is used.
Get-Help Invoke-Command -Parameter ThrottleLimit
Required?
false
Page 47
Position?
named
Default value
32
false
false
-UseSSL [<SwitchParameter>]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer.
By default, SSL is not used.
Get-Help Invoke-Command -Parameter UseSSL
Required?
false
Position?
named
Default value
false
false
<CommonParameters>
OUTPUTS
System.Collections.Generic.List<Microsoft.BestPractices.CoreInterface.InvokeBpaModelOutput>
The output object encapsulates the results of the cmdlet that you entered. It contains information such
as the MBCA model ID, the success or failure of the cmdlet, and other details.
NOTES
If the cmdlet is used to perform a single-model scan, and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location, the temporary file is discarded, and any
previous scan results file for the role are preserved. The message "Processing of Invoke-MBCAModel
cancelled by user" is displayed, if the command is cancelled before existing scan results files are
overwritten.
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet, and the command is cancelled, scans that were completed before the cancel command was
entered cannot be cancelled. A scan in progress behaves as described above in the single-model scan
cancellation scenario. Subsequent scans in the pipeline are cancelled.
If a concurrent scan of the same model is attempted, the cmdlet returns the following error message:
"Another scan for this MBCA model is in progress. Only one scan is allowed at a time."
-------------------------- EXAMPLE 1 -------------------------Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by <Model Id>.
-------------------------- EXAMPLE 2 --------------------------
Page 48
Invoke-MBCAModel -ModelId SQL2008R2BPA -Scope domain -Name

redmond.microsoft.com
Description
The preceding example starts an MBCA scan on the model ID that is specified by "Model Id.
The administrator starts the MBCA scan with additional model-specific parameters that are exposed by
the model. (For an example of how to obtain model-specific parameters, see the examples for the GetMBCAModel cmdlet.)
For example, to scan a model that requires model-specific parameters (such as -Scope and -Name) to
be passed to the command, the administrator can specify the values of these model-specific
parameters with the Invoke-MBCAModel cmdlet.
-------------------------- EXAMPLE 3 -------------------------Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Discovery
Description
The preceding example starts an MBCA scan on the model that is represented by "Model Id." The
cmdlet is instructed by the -Mode parameter to perform only the discovery -- not the analysis -- portion
of the scan.
-------------------------- EXAMPLE 4 -------------------------Invoke-MBCAModel -ModelId SQL2008R2BPA -Mode Analysis -RepositoryPath
<Repository Path>
Description
The preceding example starts an MBCA scan on the model that is represented by "Model Id." The
-Mode parameter value of "Analysis" indicates that the scan will perform analysis -- not discovery -- on
existing documents that are specified in the non-default repository path provided with the -Repository
Path parameter.
-------------------------- EXAMPLE 5 -------------------------Invoke-MBCAModel -Id <Model Id> -SubModelId <SubModel Id> -ComputerName
<Server> -Context <Context Model Id> -RepositoryPath <Respository Path>
-AsJob -Authentication <AuthenticatonMechanism> -Port <Port Number> -UseSSL
-ThrottleLimit <Throttle Limit>
Description
The preceding example starts an MBCA scan on the submodel that is represented by "SubModel Id,"
and on the computer that is represented by "Server."
Because the administrator only wants to see results from the submodel that apply in the context of a
third model, the administrator runs the scan within the context of the model ID that is specified in the
-Context parameter. The cmdlet results are saved to the non-default repository path that is specified in
the -RepositoryPath parameter
Because the -AsJob parameter is added, the scan runs in the background. The -AsJob,
-Authentication, -Port, -UseSSL and -ThrottleLimit parameters are passed through for use by the
Invoke-Command cmdlet, to perform discovery on a remote computer. For more information about
these parameters, see the Help for the Invoke-Command cmdlet, available in Windows PowerShell V2.
9.1.3 Get-MBCAResult
SYNOPSIS
Page 49
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model, or the configuration data that was used to run a scan.
SYNTAX
Get-MBCAResult [-ModelId] <string> [[-CollectedConfiguration]] -SubModelId
<string> [-ComputerName <string[]>] [-Context <string>] [-Filter
<FilterEnum>] [-RepositoryPath <string>] [<CommonParameters>]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model, or the configuration data that was used to run a scan.
To use the command, add the -ModelId parameter, and then specify the model ID for which you want to
view the most recent MBCA scan results or collected configuration data. If you want to retrieve the
configuration data collected, add the -CollectedConfiguration switch parameter.
PARAMETERS
-CollectedConfiguration [<SwitchParameter>]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan. If this switch parameter is added to Get-MBCAResults,
the cmdlet returns only the configuration data that was collected for a scan.
Required?
false
Position?
Default value
false

-ComputerName <string[]>
The -ComputerName parameter lets you obtain scan results that were collected for the most
recent MBCA scan of a submodel on a specific computer. To specify the local computer, type the
computer name, or "localhost." Multiple values for -ComputerName can be separated by
commas.
The -SubModelId parameter is required by the -ComputerName parameter.
Valid values for the -ComputerName parameter include "localhost," a NET BIOS name, an IP
address, or a fully-qualified domain name (FQDN) of one or more computers, in a commaseparated list.
Required?
false
Position?
named
Default value
false

-Context <string>
Page 50
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel). For example, an administrator might want to display scan results for the
"Backend" submodel of the "SQL" model, but only those in the context of a third model, a
technology that relies upon SQL Server.
The -SubModelId parameter is required by the -Context parameter.
A model ID is the valid value of the -Context parameter.
Required?
false
Position?
named
Default value
false

-Filter <FilterEnum>
The -Filter parameter lets you instruct the Get-MBCAResult cmdlet to return only Compliant,
Noncompliant, or All results. Valid values are Noncompliant, Compliant, or All. The default value
is All.
The -Filter parameter is ignored if the -CollectedConfiguration switch parameter is added.
Required?
false
Position?
named
Default value
false

-ModelId <string>
The -ModelId parameter specifies the ID of the MBCA model for which you want to view scan
results. You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed.
Required?
true
Position?
Default value

-RepositoryPath <string>
The valid value for this parameter is a path name. If the parameter is not used, the cmdlet obtains
results from the default result repository.
Required?
false
Position?
named
Page 51
Default value
false

The -SubModelId parameter specifies the ID of the submodel of an MBCA model for which you
want to view scan results. You can obtain valid values for the -SubModelId parameter by running
the Get-MBCAModel cmdlet targeted at a computer on which MBCA models are installed. Not all
models have submodels.
Required?
true
Position?
named
Default value
false

<CommonParameters>
OUTPUTS
System.Collections.Generic.List<Microsoft.BestPractices.CoreInterface.Result> OR
System.Xml.XmlDocument (if -CollectedData specified)
If you do not use the -CollectedConfiguration parameter, /verbose output can be any of the following:
1. Initializing MBCA engine for getting MBCA Results
2. Attempting to get MBCA results for Model Id = {0}
3. Completed getting MBCA results for Model Id = {0}, Number of Results = {1}
If you add the -CollectedConfiguration parameter to display configuration data that was used for a
scan, /verbose output can be any of the following:
1. Initializing MBCA engine for getting MBCA Configuration Data
2. Attempting to get MBCA collected configuration data for Model Id = {0}
3. Completed getting MBCA collected configuration data for Model Id = {0}
NOTES
The Get-MBCAResult cmdlet must be run by a member of the Administrators group, and it does not
start a new scan.
Cancellation behaviour
Single Model - To cancel this cmdlet, you must press Ctrl+C before the ResultCollection is displayed on
the console. The operation is cancelled, and results are not displayed on the console.
Multiple Models, or Pipelining - If you cancel this cmdlet while it is retrieving results for multiple models,
the cmdlet generates only those results that were displayed on the console before the cancellation. Any
subsequent results in the pipeline are cancelled and not displayed.
-------------------------- EXAMPLE 1 --------------------------
Page 52
Get-MBCAResult -Id SQL2008R2BPA

Description
The preceding example returns the most recent Microsoft Baseline Configuration Analyzer scan results
for the model that is represented by "Model Id."
-------------------------- EXAMPLE 2 -------------------------Get-MBCAModel | Get-MBCAResult
In the preceding example, Get-MBCAModel is used to return a list of all MBCA models that are
installed on the computer. The results of the Get-MBCAModel cmdlet are piped to the Get-MBCAResult
cmdlet to retrieve the most recent MBCA scan results for all models that are both supported by MBCA
and installed on the computer at which the cmdlet is targeted.
-------------------------- EXAMPLE 3 -------------------------$result = Get-MBCAResult SQL2008R2BPA -CollectedConfiguration
$result.DiscoveryDocument
Description
In the preceding example, configuration data (in XML form) that was collected during the most recent
Microsoft Baseline Configuration Analyzer scan of the model that is represented by "Model Id" is
retrieved and stored as a property in the variable $result. $result.DiscoveryDocument is of type
System.Xml.XmlDocument
-------------------------- EXAMPLE 4 -------------------------Get-MBCAResult SQL2008R2BPA -Filter Noncompliant
Description
for the model that is represented by "Model Id," and then applies a filter to show only Noncompliant
results.
------------------------- EXAMPLE 5 -------------------------Get-MBCAResult SQL2008R2BPA -SubModelId <SubModel Id>
Description
for the submodel that is represented by "SubModelId." Note that the parent model ID must be specified
to use the -SubModelId parameter.
------------------------- EXAMPLE 6 -------------------------Get-MBCAResult SQL2008R2BPA -SubModelId <SubModel Id> -ComputerName <Server>
-Context <Context Model Id> -RepositoryPath <Repository Path>
Description
for the submodel that is represented by "SubModelId." The parent model ID is provided, as required by
the -SubModelID parameter.
The -Context parameter indicates that the administrator wants to see only those scan results that are in
the context of the model that is represented by "Context Model Id;" for example, only those results from
a SQL Server scan that specifically apply to another technology, such as Web Server (IIS).
Page 53
The scan results are further narrowed to only those from a computer that is specified in the
-ComputerName parameter as "Server," and only those results found in the non-default results
repository that is represented by "Repository Path".
9.1.4 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see.
SYNTAX
Set-MBCAResult [[-Exclude] <Boolean>] [-Results] <Result>> [[RepostitoryPath] <string>] [<CommonParameters>]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see.
The action specified in the cmdlet (Exclude, for example) determines how the existing results of an
MBCA scan are updated. Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results.
You can apply filters to results that are returned by the Get-MBCAResult cmdlet, and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet, specifying either to include or exclude
filtered scan results.
PARAMETERS
-Exclude <Boolean>
Excludes scan results from the results collection that were previously obtained by the GetMBCAResult command. To exclude results by using the -Exclude parameter, add the value $true
following the parameter, as shown:
-Exclude $true
To include results that have been excluded, use the $false value for the -Exclude parameter.
Required?
false
Position?
Default value
false

-RepostitoryPath <string>
The valid value for this parameter is a path name. If the parameter is not used, the cmdlet
modifies results from the default result repository.
Required?
false
Page 54
Position?
Default value
false

-Results <Result>>
Specifies the result collection to be updated by the Set-MBCAResult cmdlet. The -Results
parameter is typically used to specify a filtered subset of scan results that has already been
stored in a variable; the variable name is provided as the valid value for the -Results parameter.
For example, if you have created a variable $allPerformance to store all the Performance
category results for an MBCA scan of all models on a computer, and you want to exclude those
Performance results from the complete collection of scan results, you add the parameter -Results
$all Performance to a Set-MBCAResult cmdlet.
For a more detailed example, see the Examples section of the Help for this cmdlet.
Required?
true
Position?
Default value
true (ByValue)

<CommonParameters>
WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, gethelp about_commonparameters".
NOTES
If the Set-MBCAResult command is cancelled before the results are written to a file, the operation is
cancelled and the results file is not modified. If cancellation occurs after the results file has been
modified, the command's actions are carried out, and the command cannot be cancelled.
-------------------------- EXAMPLE 1 -------------------------Get-MBCAResult -ModelId SQL2008R2BPA | Where { $_.Category -eq "Performance"
} | Set-MBCAResult -Exclude $true
Description
The first section of the preceding example, to the left of the first pipe character (|), uses the GetMBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model ID that is
represented by "Model Id."
The second section of the command filters the results of the Get-MBCAResult cmdlet to get only those
scan results for which the category name is equal to "Performance."
The final section of the example, following the second pipe character, excludes the Performance
results that were filtered by the previous section of the example.
-------------------------- EXAMPLE 2 -------------------------$rcPolicy = Get-MBCAResult -ModelId SQL2008R2BPA -RepositoryPath
"C:\ReposPath | Where { $_.Category -eq "Policy" }
Page 55
Set-MBCAResult -Exclude $true -RepositoryPath "C:\ReposPath" -Results

$rcPolicy
Description
The first line of the preceding example, to the left of the pipe character (|), instructs the GetMBCAResult cmdlet to retrieve Baseline Configuration Analyzer scan results for the model that is
represented by "Specified Model Id." from the specified non-default repository path
The second section of the example, after the pipe character, filters the results of the Get-MBCAResult
cmdlet to return only those scan results for which the category name is equal to (note the -eq option)
Policy. The variable $rcPolicy is created to store the filtered results of the Get-MBCAResult cmdlet; this
variable can be used in subsequent commands to represent those results.
The second line of the command uses the Set-MBCAResult cmdlet to exclude the set of results that
are stored in the $rcPolicy variable. In this example, the -Results parameter is added because the
administrator wants to exclude a specific subset of scan results for that model, and has created the
variable $rcPolicy to represent that subset of results. The repository root is specified in the second line,
because the administrator wants to modify the results in the same non-default repository from which
the data in $rcPolicy was retrieved.
9.1.5 MBCA Model Authoring

Further information about configuration and usage of MBCA models you can in the
MBCA_ModelAuthoringGuide.docx
Page 56
Did this paper help you? Please give us your feedback. Tell us on a scale of 1 (poor) to 5 (excellent),
how would you rate this paper and why have you given it this rating? For example:
Are you rating it high due to having good examples, excellent screen shots, clear writing, or
another reason?
Are you rating it low due to poor examples, fuzzy screen shots, or unclear writing?
This feedback will help us improve the quality of white papers we release.
Send feedback.
Page 57

SQL2008R2 BPA Whitepaper v10

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

SQL2008R2 BPA Whitepaper v10

Enviado por

Direitos autorais:

Formatos disponíveis

SQL Server 2008 (R2) Best Practice Analyzer

SQL Server Technical Article

Writers: Sylvio Hellmann, Gnter Gross, Dana Burnell

Published: September 2010

Architecture and data flow of the BPA........................................................................................... 6

Microsoft Best Practice Analyzer Universe....................................................................................7

SQL Server BPA (older versions)............................................................................................. 7

Windows Server 2008 R2 Best Practice Analyzer....................................................................7

Microsoft Automated Troubleshooting Service in Windows Server 2008 R2 and Windows 7. .8

Required Permissions for Running SQL Server 2008 R2 BPA....................................................10

Installing PowerShell 2.0 and WinRM.......................................................................................... 12

Port and Firewall restrictions.................................................................................................. 16

Reset Powershell settings...................................................................................................... 16

Connect to a remote computer.................................................................................................... 20

Exporting and opening reports by using Get-MBCAResult....................................................24

Report Result Directory.......................................................................................................... 24

Windows Server 2003 NumberOfLogicalProcessors................................................................25

Memory limit of remote PowerShell process...............................................................................26

Workgroup or Non-Domain computer....................................................................................30

How to Deal With Deviations........................................................................................................... 39

Motivation to use SQL BPA R2........................................................................................................ 40

MBCA Model Authoring.......................................................................................................... 55

2010 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

So you will find a couple of policies in our monitoring solution

SQL Server 2008 R2 Best Practice Analyzer

1.1 Architecture and data flow of the BPA

1.2 Microsoft Best Practice Analyzer Universe

1.2.1 SQL Server BPA (older versions)

1.2.2 Windows Server 2008 R2 Best Practice Analyzer

Best Practices Analyzer for Active Directory Certificate Services

More Information about Windows BPA look here.

1.2.4 Microsoft Automated Troubleshooting Service in Windows

Supported editions of SQL Server

Supported Components of SQL Server

2.1 Required Permissions for Running SQL Server 2008 R2 BPA

With a graphical user interface (setup wizard) or

3.1 Installing PowerShell 2.0 and WinRM

3.2 Install MBCA

3.3 Install BPA

3.3.1 Command line

/i = package name (SQL2008R2BPA_Setup32.msi or SQL2008R2BPA_Setup64.msi

3.3.3 Port and Firewall restrictions

3.5.3 Reset PowerShell settings

Scanning through the local machine.

This scan can be of the local or an alternate server.

Scanning through a remote machine.

4.1 Help file

5. Fill in Alternate_Server_to_Scan with the remote machine you want to scan.

4.3 Connect to a remote computer

Enable PowerShell Remoting

Settings for the server

4.4.1 Run Scan

4.4.2 Create Report

4.4.3 Exporting and opening reports by using Get-MBCAResult

4.4.4 Report Result Directory

%Programdata%\Microsoft\Microsoft Baseline Configuration Analyzer

Temp and log files

Log Files Location

Common File - ModelLog.txt

5.2 Windows Server 2003 NumberOfLogicalProcessors

Please install the version 2 of the MBCA.

5.5 Memory limit of remote PowerShell process

5.6 Remote connect