Escolar Documentos
Profissional Documentos
Cultura Documentos
Page 1
Table of Contents
1
Introduction........................................................................................................................................ 5
1.1
1.2
1.2
21.
31.2
Fix-it......................................................................................................................................... 8
41.2
System Requirements..................................................................................................................... 10
2.1
2.2
Prerequisites................................................................................................................................ 11
Install................................................................................................................................................. 12
3.1
3.2
Install MBCA................................................................................................................................ 13
3.3
Install BPA................................................................................................................................... 14
13.
Command line........................................................................................................................ 14
23.
GUI......................................................................................................................................... 15
3.
3.4
Updates....................................................................................................................................... 16
3.5
Uninstall....................................................................................................................................... 16
13.5
BPA........................................................................................................................................ 16
23.5
MBCA..................................................................................................................................... 16
3.5
Usage................................................................................................................................................ 17
4.1
Help file....................................................................................................................................... 17
4.2
GUI.............................................................................................................................................. 17
4.3
4.4
Powershell................................................................................................................................... 22
14.
Run Scan............................................................................................................................... 22
24.
Create Report........................................................................................................................ 23
34.
4.
Troubleshooting............................................................................................................................... 25
Page 2
5.1
Application directories................................................................................................................. 25
5.2
5.3
MBCA.......................................................................................................................................... 26
5.4
Where can I find the Instance name in result set of the analyzer report......................................26
5.5
5.6
Remote connect.......................................................................................................................... 26
5.7
Installation................................................................................................................................... 29
15.7
Powershell error..................................................................................................................... 29
25.7
35.7
Kerberos Failure.................................................................................................................... 30
Rules................................................................................................................................................. 32
6.1
Engine......................................................................................................................................... 34
6.2
ASRules...................................................................................................................................... 36
6.3
RSRules...................................................................................................................................... 37
6.4
ISRules........................................................................................................................................ 37
6.5
SetupRules.................................................................................................................................. 38
6.6
Replication................................................................................................................................... 38
Additional Information..................................................................................................................... 41
9.1
Powershell................................................................................................................................... 41
19.
Get-MBCAModel.................................................................................................................... 41
29.1
Invoke-MBCAModel............................................................................................................... 43
39.1
Get-MBCAResult................................................................................................................... 48
49.1
Set-MBCAResult.................................................................................................................... 53
59.1
Copyright Information
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Page 3
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious.
No association with any real company, organization, product, domain name, e-mail address, logo,
person, place, or event is intended or should be inferred. Complying with all applicable copyright laws
is the responsibility of the user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
Page 4
1 INTRODUCTION
The Microsoft SQL Server 2008 R2 Best Practices Analyzer (BPA) is a diagnostic tool that performs the
following functions:
Gathers information about a server and an instance of Microsoft SQL Server 2008 or 2008 R2
that is installed on that server
Determines if the configurations are set according to the Microsoft recommended best
practices
Reports on all configurations, indicating settings that differ from recommendations
Indicates potential problems in the installed instance of SQL Server
Recommends solutions to potential problems
This tool is used by IT Professionals and Database Administrators to help ensure that their installations
of SQL Server and associated products / components are adhering to best practices as determined by
the SQL Server Product Teams and CSS. This utility scans the installation of a local or remote machine
gathering system data from WMI, log files, the Event Log, the Windows Registry, and SQL Server
metadata and compares the results to predefined standards. It then produces a report that shows the
results and points the user to additional information on the web to help them determine whether they
should make changes to their systems.
For every configuration, the SQL Server 2008 R2 BPA provides the following results:
Compliance results are returned when an instance of SQL Server satisfies the conditions of a
Best Practices rule. Non-compliance results are returned when an instance of SQL Server
does not satisfy the conditions of a Best Practices rule.
Impact of non-compliance
Recommendation
Links to more detailed information and related topics
To assist you and to make your DBA life easier Microsoft includes some of these Best Practices in a
couple of products depending on specific purpose of the Software. The following diagram illustrates
the variety of tools available to check best practices for SQL Server 2008 and SQL Server 2008 R2 in
parallel or in combination with BPA.
Page 5
The big picture automated Best Practices of SQL Server checks offered in different flavours and
products.
SQL Server
2008 R2
Best
Practice
Analyzer
SQLRAP
CSS
Rules,
Advice,
and
Manifest
s
SCOM SQL
MP
SQL 2008
Setup
Policy
Based
Manageme
nt
Page 6
output is saved in an XML File which is then used in the evaluation activity. Evaluation is performed
using the Schematron file. This file, run by the MBCA engine, contains the logic for evaluating the best
practices. The final step following the evaluation process is the report generation which is shown in
the MBCA UI.
In the flow chart below you will find the anatomy of the SQL Server 2008 R2 Best Practices Analyzer.
Page 7
can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other
potential problems.
Best Practices Analyzer (BPA) is a server management tool that is available in
Windows Server 2008 R2. BPA can help administrators reduce best practice violations by scanning
one or more roles that are installed on Windows Server 2008 R2, and reporting best practice violations
to the administrator. Administrators can filter or exclude results from BPA reports that they do not have
to see. Administrators can also perform BPA tasks by using either the Server Manager GUI, or
Windows PowerShell cmdlets.
BPA can also be used on remote servers that are running Windows Server 2008 R2, by using Server
Manager targeted at a remote server. For more information about how to run Server Manager targeted
at a remote server, see Remote Management with Server Manager.
The following BPA modules are currently available:
1.2.3 Fix-it
Currently there exists no link between the SQL Server Best Practice Analyzer and the Fixit webpage.
http://support.microsoft.com/fixit
Microsoft is working on a solution to combine fixit with specific Best Practice Analyzer.
http://fixitcenter.support.microsoft.com/Portal
Page 8
Notes
If you click the Advanced link on a troubleshooter and then clear the Apply repairs
automatically check box, the troubleshooter displays a list of fixes to choose from, if any
problems are found.
Windows includes several troubleshooters, and more are available online when you select the
Get the most up-to-date troubleshooters from the Windows Online Troubleshooting service
check box at the bottom of Troubleshooting.
http://support.microsoft.com/gp/system_maintenance_for_windows
Page 9
2 SYSTEM REQUIREMENTS
SQL Server 2008 R2 Best Practices Advisor is supported on the following Operating Systems:
1.
2.
3.
4.
5.
6.
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2003 R2
Windows Server 2008
Windows Server 2008 R2
Analysis Services
Database Engine
Integration Services
Reporting Services
Replication
Setup
These components are designed as Submodels for the BPA. This means that they will be run
concurrently where possible.
Page 10
2.2 Prerequisites
The following are required for using SQL Server 2008 R2 Best Practices Analyzer:
1. PowerShell V2.0
Windows PowerShell 2.0 requires the Microsoft .NET Framework 2.0 with Service Pack 1.
2. Microsoft Baseline Configuration Analyzer V2.0
3. SQL Server Management Tools for SQL Server 2008 or SQL Server 2008 R2
The following table outlines the prerequisite Microsoft utilities / components, by Operating System,
necessary to have on your server prior to installing and running SQL Server 2008 R2 BPA.
OS
1.Inst
all
WinR
M
2.Install
PowerShe
ll 2.0
3.Instal
l MBCA
2.0
Configure PowerShell1
4.Remot
ing
5.Execu
tion
Level
6.
MaxShells
PerUser
7. Install
SQL2008 or
SQL 2008 R2
Management
Tools
Win
Vista
Windows
7
Windows
Server
2003
Windows
Server
2003 R2
Windows
Server
2008
Windows
Server
2008 R2
1 These changes will be done from the installation routine of the BPA.
Page 11
3 INSTALL
We recommend installing BPA on a workstation or administration server and performing the scan
operation remotely against servers in your SQL Server infrastructure. It is also possible to install this
tool on the production SQL Server locally.
Installation process:
1. Install/Configure PowerShell and WinRM
2. Microsoft Baseline Configuration Analyzer V2.0
3. Microsoft SQL Server 2008 R2 Best Practices Analyzer
It exists two ways to install the Best Practices Analyzer:
Page 12
computers that only send commands. Because the configuration activates listeners, it is prudent to run
it only where it is needed. You can do this with the following command line:
powershell.exe -NoLogo -NoProfile -Noninteractive -Command "EnablePSRemoting -force"
Enable-PSRemoting performs configuration actions to enable this machine for remote management.
Includes:
1. Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks:
Starts the WinRM service
Sets the startup type on the WinRM service to Automatic
Creates a listener to accept requests on any IP address
Enables a firewall exception for WS-Management communications
Enables all registered Windows PowerShell session configurations to receive instructions
from a remote computer
Registers the "Microsoft.PowerShell" session configuration, if it is not already registered
Registers the "Microsoft.PowerShell32" session configuration on 64-bit computers, if it is
not already registered
Removes the "Deny Everyone" setting from the security descriptor for all the registered
session configurations
Restarts the WinRM service to make the preceding changes effective
2. Configures MaxShellsPerUser using "winrm set winrm/config/winrs
`@`{MaxShellsPerUser=`"10`"`}"
Specifies the maximum number of concurrent shells that any user can remotely open on
the same computer. If this policy setting is enabled, the user will not be able to open new
remote shells if the count exceeds the specified limit. If this policy setting is disabled or is
not configured, the limit will be set to 5 remote shells per user by default and you receive
the following error message:
[localhost] Connecting to remote server failed with the following
error message : The WS-Management service cannot process the
request. This user is allowed a maximum number of 5 concurrent
shells, which has been exceeded. Close existing shells or raise the
quota for this user. For more information, see the
about_Remote_Troubleshooting Help topic.
+ CategoryInfo
: OpenError:
(System.Manageme.RemoteRunspa
ce:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
For more information about PowerShell remoting, please see MSDN.
Page 13
Please find below the screenshots demonstrating the visual flow of the MBCA Installation:
Welcome screen
License terms
Folder selection
Completion screen
For information on additional public properties: Consult the Windows Installer SDK for documentation
on the command line syntax.
Page 14
3.3.2 GUI
Please find below the screenshots demonstrating the visual flow of the SQL Server 2008 R2 BPA
Installation:
Welcome screen
License terms
System Configuration Changes (see 3.1 Installing PowerShell 2.0 and WinRM)
Ready to install decision
Install progress
Completion screen
Page 15
3.4 Updates
Microsoft is working on quarterly updates of the rule set and tool improvements of the SQL Server 2008
R2 Best Practice Analyzer. Please visit the Download site from Microsoft regularly to find new updates.
3.5 Uninstall
3.5.1 BPA
3.5.2 MBCA
Page 16
4 USAGE
There are two ways to scan a server using MBCA and SQL 2008 R2 BPA. They are:
In this case you are using MBCA and SQL 2008 R2 BPA running on the local machine to
perform the scan.
In this case MBCA is used to connect to a remote server that has MBCA and SQL 2008
R2 BPA installed on it.
This scan is using the local machine to form the connection to the remote machine and is
actually performing the scan through the remote machine.
4.2 GUI
1. Ensure that MBCA v2 and SQL 2008 R2 BPA are installed on the machine.
2. Run the MBCA application from the start menu, with elevated user rights.
Page 17
3. On the MBCA home page, ensure the "SQL Server 2008 R2 BPA product is selected:
4. Click "Start Scan", which displays a page to specify parameters as shown below:
Page 18
ComputerName
IP address: n.n.n.n
FQDN (Fully Qualified Domain Name)
Enter ., localhost, or leave this blank if you want to scan the local machine.
Enter the instance name you want to scan. To scan the default instance, enter MSSQLSERVER
or leave this as blank. Toggle the checkboxes to enable/disable scans for those rule categories.
Each of the following six check boxes correspond to the SQL Server categories listed previously.
Select at least one category in order to run a successful scan.
Analyze_SQL_Analysis_Services
Analyze_SQL_Server_Engine
Analyze_SQL_Integration_Services
Analyze_SQL_Server_Replication
Analyze_SQL_Reporting_Services
Analyze_SQL_Server_Setup
Note: Only one SQL Server instance can be scanned at a time through the MBCA GUI.
Page 19
6. Click "Start Scan". MBCA will start the configured scan and display the below page while in
progress:
7. When the scan is complete, results will be displayed grouped by Severity as shown below:
Page 20
1. In the Connect to Another Computer text box, you can specify a NetBIOS name, a fully qualified
domain name (FQDN), or an IPv4 or IPv6 address. If no port number is specified, the default port
number is used. The following are examples of formats that you can specify in the Connect to
Another Computer text box.
ComputerName
ComputerName:PortNumber
IP address: n.n.n.n
IPv6 address: [n:n:n:n:n:n:n:n]
IPv4 address with port number: n.n.n.n:PortNumber
IPv6 address with port number: [n:n:n:n:n:n:n:n]:PortNumber
Note: If an administrator has changed the computers default port number, any port other than the
default port must be opened in Windows Firewall to allow incoming connections on that port. Port
5985 is opened by default when WinRM is configured. All other ports remain blocked until opened.
For more information about how to unblock a port in Windows Firewall, see the Help for Windows
Page 21
Firewall. For more information about how to configure WinRM, in a Command Prompt session, type
winrm help, and then press Enter.
2. Additionally you must supply credentials
3. CredSSP
Windows Remote Management (WinRM) supports the delegation of user credentials across
multiple remote computers. The multi-hop support functionality can now use Credential Security
Service Provider (CredSSP) for authentication. CredSSP enables an application to delegate the
users credentials from the client computer to the target server.
CredSSP authentication is intended for environments where Kerberos delegation cannot be used.
Support for CredSSP was added to allow a user to connect to a remote server and have the ability
to access a second-hop machine, such as a file share.
Note: WinRM clients and servers will support CredSSP authentication only with explicit credentials.
Windows XP, Windows Server 2003, and earlier: CredSSP is not supported.
First, you must set CredSSP on both the client and the server.
Using the Group Policy Editor (gpedit.msc) make sure to enable Allow Delegating Fresh
Credentials and check Concatenate OS defaults with input above.
Add the server or domain to the list of servers in the format WSMAN/*.domainname.com
Next, enable and configure PowerShell Remoting on both the Client and Server by running the
following commands in a PowerShell command window opened with elevated permissions. Note:
You can configure a single machine as both a client and a server simultaneously so that you can
scan from either computer.
Page 22
4.4 PowerShell
Details see 9.1 PowerShell
To use the functionality of the Microsoft Baseline Configuration Analyzer you must import this module
first:
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$x.ExportedCommands
Page 23
Parameter description:
-Alternate_Server_to_scan {servername}
-SQL_Server_Instance_Name {instancename}
-Analyze_SQL_Server_Engine
-Analyze_SQL_Server_Replication
-Analyze_SQL_Server_Setup
-Analyze_SQL_Analysis_Services
-Analyze_SQL_Integration_Services
-Analyze_SQL_Reporting_Services
The parameter list is equal the parameter screen in the GUI.
The scans of the different services are optional. You can remove technologies which you do not need
to scan.
The next example starts the scan only for the Analysis Services on the alternate server servername
and for the named instance instance. A log file will be written to c:\temp\ssas.txt:
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId AnalysisServices
-ComputerName {servername} -SqlServerInstance {instance} -SSASLogFile
c:\temp\ssas.txt
Invoke-MbcaModel -ModelId SQL2008R2BPA -SubModelId Engine -ComputerName
{computername} -SqlServerInstance {servername} -CurrentLoginName
($Env:USERDOMAIN + "\" + $Env:USERNAME).ToString() -EngineLogFile
c:\temp\engine.txt RepositoryPath ("C:\TEMP\SQL2008" + (GetDate).ToString("yyyyMMdd")).ToString()
Page 24
$env:computername</P>" -post "For details, contact Microsoft Premier."CssUri $env: BestPracticesReportFormat.css > c:\temp\sql2008r2bpa.htm
Page 25
5 TROUBLESHOOTING
5.1 Application directories
To following directories are used by MBCA:
Report output
directory
%localappdata%\Microsoft\MicrosoftBaselineConfigurationAnalyzer
2\Reports\SQL2008R2BPAResults
Model configuration
path
%temp%\SQL2008R2BPA\SQL2008\<date>_<time>
Registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BaselineConfigurationAnalyzer
]
Log Files
During Data Discovery, SQL Server 2008 R2 BPA creates log files for troubleshooting. The log file
contains the following information:
Pre-requisite validation
Timestamp finished rule's start and end times
Run-time scripting errors and exceptions from Power Shell Traps
Page 26
Both of the rules below will function properly if you apply this hotfix. For more information look here.
5.3 MBCA
This message indicates that on prerequisite is not installed.
5.4 Where can I find the Instance name in result set of the analyzer
report?
The instance name is in the collected data option of the analyzer report in the BPA GUI.
Page 27
Enable-PSRemoting
Page 28
If you have no permission to access the remote server you get the error message:
Page 29
5.7 Installation
5.7.1 PowerShell error
After getting through the Pre-Reqs for BPA (PowerShell 2.0, MBCA, .NET Framework), you may hit one
of two scenarios when installing BPA.
In all of the cases of an install failure, you will see the following error:
There is a problem with this Windows Installer package. A program run as part of the setup did not
finish as expected. Contact your support personnel or package vendor.
In your Application Event Log, for both of these scenarios, you will also see the following entry:
Log Name:
Application
Source:
MsiInstaller
Date:
6/10/2010 8:38:18 AM
Event ID:
11722
Task Category: None
Level:
Error
Keywords:
Classic
User:
<Username>
Computer:
<Machine name>
Description:
Product: Microsoft SQL Server 2008 R2 BPA -- Error 1722. There is a problem
with this Windows Installer package. A program run as part of the setup did
not finish as expected. Contact your support personnel or package vendor.
Action EnablePSRemoting, location: powershell.exe, command: -NoLogo
-NoProfile -Command Enable-PSRemoting force
Page 30
This is an indicator that PowerShell is not configured. You must run the following command:
powershell.exe -NoLogo -NoProfile -Command Enable-PSRemoting force
Page 31
At line:50 char:33
+
Set-WSManQuickConfig <<<< -force
+ CategoryInfo
: InvalidOperation: (:) [Set-WSManQuickConfig],
InvalidOperationException
+ FullyQualifiedErrorId :
WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand
You can get this type of error from WinRM for muliple reasons. The one that
we saw in our testing was the HTTP SPN scenario.
If you do have an HTTP SPN defined on a Domain Account that is using the name of your machine,
you have some options. First you can follow the steps mentioned above to get BPA installed. The
Enable-PSRemoting command will give you the above error. You can temporarily remove the HTTP
SPN to get remoting enabled and then re-add the HTTP SPN.
Once BPA is setup, you will still not be able to run BPA if you put the HTTP SPN back in place. You will
see the following when you attempt to perform a scan:
This will occur regardless of which component you try to scan. It could be the Engine, Setup, RS, etc
One option to perform the scan successfully is to temporarily remove the HTTP SPN again, run the
scan, and then put the HTTP SPN back in place. Another option, but one that will probably require
further testing from your applications end, would be to run the application under a Host Header and
then your HTTP SPN would not include the machine name, allowing BPA to run without issue.
Page 32
6 RULES
Searching for SQL Server 20087 R2 BPA at Microsoft.com reveals:
Here is an example of one of these articles that talks about a rule to check for a recent clean
CHECKDB:
Page 33
BPA works by measuring a roles compliance with best practice rules in eight different categories of a
roles effectiveness, trustworthiness, and reliability. Results of measurements can be any of the three
severity levels described in the following table.
Severity level Description
Noncompliant
Noncompliant results are returned when a role does not satisfy the conditions of a rule.
Compliant
Compliant results are returned when a role satisfies the conditions of a rule.
Warning
Warning results are returned when a role is compliant as operating currently, but may not satisfy the conditions of a
rule if changes are not made to its configuration or policy settings. For example, a scan of Remote Desktop Services
might show a warning result if a license server is unavailable to the role, because even if no remote connections are
active at the time of the scan, not having the license server prevents new remote connections from obtaining valid
client access licenses.
Page 34
The following table describes the categories of best practice rules against which roles are measured
during a BPA scan.
Category Name
Description
Security
Security rules are applied to measure a roles relative risk for exposure to threats such as unauthorized or
malicious users, or loss or theft of confidential or proprietary data.
Performance
Performance rules are applied to measure a roles ability to process requests and perform its prescribed duties in
the enterprise, within expected periods of time given the roles workload.
Configuration
Configuration rules are applied to identify role settings that might require modification for the role to perform
optimally. Configuration rules can help prevent setting conflicts that can result in error messages or prevent the
role from performing its prescribed duties in an enterprise.
Policy
Policy rules are applied to identify Group Policy or Windows Registry settings that might require modification for
the role to operate optimally and securely.
Operation
Operation rules are applied to identify possible failures of a role to perform its prescribed tasks in the enterprise.
Predeployment
Predeployment rules are applied before an installed role is deployed in the enterprise, to let administrators to
evaluate whether best practices were satisfied before you use the role in production.
Postdeployment
Postdeployment rules are applied after all required services have started for a role, and the role is running in the
enterprise.
BPA Prerequisites BPA Prerequisite rules explain configuration settings, policy settings, and features that are required for the role
before BPA can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect
setting, a missing role, role service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or
other configuration has prevented BPA from applying one or more rules during a scan. A prerequisite result does
not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the
scan results.
Page 35
Page 36
6.2 AS Rules
Please find below a summary of the 34 Analysis Server Rules with the links to the rule descriptions.
Page 37
6.3 RS Rules
6.4 IS Rules
Page 38
Page 39
Page 40
Page 41
9 ADDITIONAL INFORMATION
9.1 PowerShell
To use the functionality of the Baseline Configuration Analyzer with PowerShell you must import this
module first:
Import-module BaselineConfigurationAnalyzer
You can list the commands of this module with the following syntax
$x=Get-Module BaselineConfigurationAnalyzer
$x.ExportedCommands
The following commands are stored in this module:
Get-MbcaModel
Get-MbcaResult
Invoke-MbcaModel
Set-MbcaResult
9.1.1 Get-MBCAModel
SYNOPSIS
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA), and that are installed on a computer.
SYNTAX
Get-MBCAModel [[-ModelId] <string[]>] [[-SubModelId] <string>] [<CommonParameters>]
DESCRIPTION
The Get-MBCAModel cmdlet lets you retrieve and view the list of models that are supported by
Microsoft Baseline Configuration Analyzer (MBCA) and installed on the computer. If no parameter is
specified, Get-MBCAModel returns all models that are installed on the computer. If a model is specified
by using the -ModelId parameter, information about the specified model is returned.
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights; that is, "Run as Administrator."
The results of the Get-MBCAModel cmdlet include the following details about models:
1. Branding information (manufacturer or company, display names, version number), that is found in
the model manifest
2. Dynamic parameters that are included with the model
3. Submodels that are included with the model
PARAMETERS
-ModelId <string[]>
The -ModelId parameter specifies the ID of the MBCA model about which you want to view
details. You can obtain valid values for the ModelId parameter by running the Get-MBCAModel
cmdlet with no parameters, and targeted at a computer on which MBCA models are installed.
Page 42
Default value
Accept pipeline input?
false
Position?
Default value
Accept pipeline input?
false
Page 43
$model.SubModels
In the preceding example, Get-MBCAModel returns details about the specified MBCA model that is
represented by "Model Id." The results of the cmdlet are stored in the variable $model.
In the next line of the example, the "SubModels" property of the model details that were stored in the
$model object returns a list of the submodels of the model specified in the first line.
9.1.2 Invoke-MBCAModel
SYNOPSIS
The Invoke-MBCAModel cmdlet lets you start a Microsoft Baseline Configuration Analyzer (MBCA)
scan for a specific model that is installed on your computer.
SYNTAX
Invoke-MBCAModel [-ModelId] <string> -SubModelId <string> [-Authentication
<AuthenticationMechanism>] [-CertificateThumbprint <string>] [-ComputerName
<string[]>] [-ConfigurationName <string>] [-Context <string>] [-Credential
<string>] [-Mode <ModeEnum>] [-Port <int>] [-RepositoryPath <string>] [ThrottleLimit <int>] [-UseSSL] [<CommonParameters>]
DESCRIPTION
The Invoke-MBCAModel cmdlet allows you to start a Microsoft Baseline Configuration Analyzer
(MBCA) scan for a specific model that is installed on your computer. The model is specified either by
using the parameter -ModelId, or by piping the results of the Get-MBCAModel cmdlet into an InvokeMBCAMode cmdlet.
After the MBCA scan has been performed, the results of the scan are available to be retrieved by GetMBCAResult cmdlet.
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights; that is, "Run as Administrator."
PARAMETERS
-Authentication <AuthenticationMechanism>
Specifies the authentication mechanism that is used to authenticate the user's credentials. Valid
values include Default, Basic, CredSSP, Digest, Kerberos, Negotiate, and
NegotiateWithImplicitCredential. The default value is Default.
For more information about the -Authentication parameter, type the following, and then press
Enter.
Get-Help Invoke-Command -Parameter Authentication
Required?
false
Position?
named
Default value
Default
false
Page 44
Specifies the digital public key certificate (X509) of a user account that has rights to perform the
cmdlet action. The valid value is the certificate thumbprint of the certificate.
For more information about this parameter, type the following, and then press Enter:
Get-Help Invoke-Command -Parameter Certificate Thumbprint
Required?
false
Position?
named
Default value
Accept pipeline input?
false
false
Position?
named
Default value
Accept pipeline input?
false
false
Position?
named
Default value
Accept pipeline input?
false
Page 45
false
Position?
named
Default value
Accept pipeline input?
false
false
Position?
named
Default value
Accept pipeline input?
false
false
Position?
named
Default value
All
false
true
Position?
Default value
Accept pipeline input?
Page 46
This must be SQL2008R2BPA for SQL Server 2008 R2 Best Practice Analyzer.
-Port <int>
Specifies the network port on a remote computer on which you want to run a scan. The default
value is port 80.
For more information on this parameter, type the following, and then press Enter.
Get-Help Invoke-Command -Parameter Port
Required?
false
Position?
named
Default value
80
false
false
-RepositoryPath <string>
The -RepositoryPath parameter is used to specify a non-default location of the results repository.
The valid value for this parameter is a pathname. If the parameter is not used, the cmdlet writes
results to the default result repository.
Required?
false
Position?
named
Default value
Accept pipeline input?
false
false
-SubModelId <string>
The -SubModelId parameter specifies the ID of the submodel of an MBCA model that you want to
scan. You can obtain valid values for the -SubModelId parameter by running the Get-MBCAModel
cmdlet targeted at a computer on which MBCA models are installed. Not all models have
submodels.
The -ModelId parameter is required with the -SubModelId parameter.
Required?
true
Position?
named
Default value
Accept pipeline input?
false
false
-ThrottleLimit <int>
Specifies the maximum number of concurrent connections that can be established to run the
cmdlet. If you omit this parameter, or enter a value of 0, the default value of 32 is used.
For more information about this parameter, type the following, and then press Enter:
Get-Help Invoke-Command -Parameter ThrottleLimit
Required?
false
Page 47
Position?
named
Default value
32
false
false
-UseSSL [<SwitchParameter>]
Uses the Secure Sockets Layer (SSL) protocol to establish a connection on a remote computer.
By default, SSL is not used.
For more information about this parameter, type the following, and then press Enter:
Get-Help Invoke-Command -Parameter UseSSL
Required?
false
Position?
named
Default value
Accept pipeline input?
false
false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable,
WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "gethelp about_commonparameters".
OUTPUTS
System.Collections.Generic.List<Microsoft.BestPractices.CoreInterface.InvokeBpaModelOutput>
The output object encapsulates the results of the cmdlet that you entered. It contains information such
as the MBCA model ID, the success or failure of the cmdlet, and other details.
NOTES
If the cmdlet is used to perform a single-model scan, and the cmdlet is cancelled (by using CTRL+C)
before the temporary results file is copied to its final location, the temporary file is discarded, and any
previous scan results file for the role are preserved. The message "Processing of Invoke-MBCAModel
cancelled by user" is displayed, if the command is cancelled before existing scan results files are
overwritten.
If the cmdlet is used to perform a scan of multiple models by piping in results from the Get-MBCAModel
cmdlet, and the command is cancelled, scans that were completed before the cancel command was
entered cannot be cancelled. A scan in progress behaves as described above in the single-model scan
cancellation scenario. Subsequent scans in the pipeline are cancelled.
If a concurrent scan of the same model is attempted, the cmdlet returns the following error message:
"Another scan for this MBCA model is in progress. Only one scan is allowed at a time."
-------------------------- EXAMPLE 1 -------------------------Invoke-MBCAModel -ModelId SQL2008R2BPA
Description
The preceding example starts a MBCA scan on the model that is represented by <Model Id>.
-------------------------- EXAMPLE 2 --------------------------
Page 48
9.1.3 Get-MBCAResult
SYNOPSIS
Page 49
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model, or the configuration data that was used to run a scan.
SYNTAX
Get-MBCAResult [-ModelId] <string> [[-CollectedConfiguration]] -SubModelId
<string> [-ComputerName <string[]>] [-Context <string>] [-Filter
<FilterEnum>] [-RepositoryPath <string>] [<CommonParameters>]
DESCRIPTION
The Get-MBCAResult cmdlet lets you retrieve and view the results of a Microsoft Baseline
Configuration Analyzer scan on a specific model, or the configuration data that was used to run a scan.
To use the command, add the -ModelId parameter, and then specify the model ID for which you want to
view the most recent MBCA scan results or collected configuration data. If you want to retrieve the
configuration data collected, add the -CollectedConfiguration switch parameter.
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights; that is, "Run as Administrator."
PARAMETERS
-CollectedConfiguration [<SwitchParameter>]
The -CollectedConfiguration parameter allows you to obtain the configuration data that was
collected for the most recent MBCA scan. If this switch parameter is added to Get-MBCAResults,
the cmdlet returns only the configuration data that was collected for a scan.
Required?
false
Position?
Default value
Accept pipeline input?
false
false
Position?
named
Default value
Accept pipeline input?
false
Page 50
The -Context parameter lets you obtain scan results that were collected for the most recent
MBCA scan of a submodel in the context of a specific model (one that is different from the parent
model of the submodel). For example, an administrator might want to display scan results for the
"Backend" submodel of the "SQL" model, but only those in the context of a third model, a
technology that relies upon SQL Server.
The -SubModelId parameter is required by the -Context parameter.
A model ID is the valid value of the -Context parameter.
Required?
false
Position?
named
Default value
Accept pipeline input?
false
false
Position?
named
Default value
Accept pipeline input?
false
true
Position?
Default value
Accept pipeline input?
false
Position?
named
Page 51
Default value
Accept pipeline input?
false
true
Position?
named
Default value
Accept pipeline input?
false
Page 52
Page 53
The scan results are further narrowed to only those from a computer that is specified in the
-ComputerName parameter as "Server," and only those results found in the non-default results
repository that is represented by "Repository Path".
9.1.4 Set-MBCAResult
SYNOPSIS
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see.
SYNTAX
Set-MBCAResult [[-Exclude] <Boolean>] [-Results] <Result>> [[RepostitoryPath] <string>] [<CommonParameters>]
DESCRIPTION
The Set-MBCAResult cmdlet lets you exclude or include existing results of a Microsoft Baseline
Configuration Analyzer (MBCA) scan to show you only the scan results that you want to see.
The action specified in the cmdlet (Exclude, for example) determines how the existing results of an
MBCA scan are updated. Set-MBCAResult is typically applied after using the Get-MBCAResult cmdlet
to return a collection of scan results.
You can apply filters to results that are returned by the Get-MBCAResult cmdlet, and then pipe the
filtered collection of results to the Set-MBCAResult cmdlet, specifying either to include or exclude
filtered scan results.
You must be a member of the Administrators group on the computer on which you want to run this
cmdlet, and you must run the cmdlet in a Windows PowerShell session that has been opened with
elevated user rights; that is, "Run as Administrator."
PARAMETERS
-Exclude <Boolean>
Excludes scan results from the results collection that were previously obtained by the GetMBCAResult command. To exclude results by using the -Exclude parameter, add the value $true
following the parameter, as shown:
-Exclude $true
To include results that have been excluded, use the $false value for the -Exclude parameter.
Required?
false
Position?
Default value
Accept pipeline input?
false
false
Page 54
Position?
Default value
Accept pipeline input?
false
true
Position?
Default value
Accept pipeline input?
true (ByValue)
Page 55
Page 56
Did this paper help you? Please give us your feedback. Tell us on a scale of 1 (poor) to 5 (excellent),
how would you rate this paper and why have you given it this rating? For example:
Are you rating it high due to having good examples, excellent screen shots, clear writing, or
another reason?
Are you rating it low due to poor examples, fuzzy screen shots, or unclear writing?
This feedback will help us improve the quality of white papers we release.
Send feedback.
Page 57