Export (0) Print
Expand All

Configuration Analyzer for System Center 2012 R2

Updated: November 1, 2013

Applies To: System Center 2012 R2

System Center 2012 R2 Configuration Analyzer is your first line of defense for troubleshooting issues with System Center 2012 R2 server-side components. System Center 2012 R2 Configuration Analyzer is a diagnostic tool that you can use to evaluate important configuration settings for computers that run any of the following System Center 2012 R2 components:

  • App Controller

  • Configuration Manager

  • Data Protection Manager (DPM)

  • Operations Manager

  • Orchestrator (plus Service Provider Foundation)

  • Remote Console Connect

  • Service Management Automation

  • Service Manager

  • Service Reporting

  • Virtual Machine Manager (VMM)

Previously, if you wanted to analyze configuration settings for several System Center components you had to download and install separate best practice analyzers (BPAs) for each component. With the release of System Center 2012 R2, you can now use a single model (called the System Center 2012 R2 Configuration Analyzer model) within Microsoft Baseline Configuration Analyzer 2.0 that automatically detects and scans all System Center 2012 R2 server-side components.

System requirements and prerequisites

The following items must be pre-installed on the server or client computer on which System Center 2012 R2 Configuration Analyzer will be installed:

  • An operating system supported by System Center 2012 R2

    For a list of supported operating systems, see Server Operating Systems in System Center 2012 SP1 and Client Operating Systems in System Center 2012 SP1.

    noteNote
    System Center 2012 R2 Configuration Analyzer does not support Windows Server 2012 Core.

  • Microsoft Baseline Configuration Analyzer 2.0

    You can download this from the Microsoft Download Center.

    noteNote
    You may run across references to version 2.1 of Microsoft Baseline Configuration Analyzer within System Center 2012 R2 Configuration Analyzer. This is incorrect. The correct version of Microsoft Baseline Configuration Analyzer is 2.0.

In addition, if you plan to scan any computers that will be used as SQL Server hosts for a Configuration Manager site database, you must have SQL Server pre-installed on those computers.

How System Center 2012 R2Configuration Analyzer works

System Center 2012 R2 Configuration Analyzer works within Microsoft Baseline Configuration Analyzer 2.0 to scan the hardware and software configurations of the computers that you specify and evaluate them against a set of predefined rules. Then it provides you with error messages and warnings for any configurations that are not optimal. System Center 2012 R2 Configuration Analyzer automatically detects all installed System Center 2012 R2 server-side components and evaluates them against the appropriate rules.

noteNote
System Center 2012 R2 Configuration Analyzer is designed to help you configure your computers for optimal performance based on a set of best-practice rules. Your computers might have some issues that System Center 2012 R2 Configuration Analyzer does not detect.

While rule violations, even critical ones, might not always cause problems, they do indicate issues that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.

Scan results can be any of the three severity levels described in the following table.

 

Severity level Description

Noncompliant

The component does not satisfy the conditions of a rule.

Compliant

The component satisfies the conditions of a rule.

Warning

The component is compliant as it is operating currently, but might not satisfy the conditions of a rule if changes are not made to its configuration or policy settings.

Rule categories

The following table lists the categories of rules by which hardware and software configurations are measured during a scan.

 

Category name Description

Security

Security rules measure a component’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data.

Performance

Performance rules measure a component’s ability to process requests and perform its prescribed duties, within time periods expected for the component’s workload.

Configuration

Configuration rules identify component settings that might require modification for the component to perform optimally. Configuration rules can help prevent conflicts that can result in error messages or prevent the component from performing its prescribed duties.

Policy

Policy rules identify Group Policy or Windows Registry settings that might require modification for the component to operate optimally and securely.

Operation

Operation rules identify possible failures of a component to perform its prescribed duties.

Postdeployment

Post-deployment rules are applied after all required services have started for a component, and the component is running in the enterprise.

BPA Prerequisites

BPA Prerequisite rules explain configuration settings, policy settings, and features that are required for the component before System Center 2012 R2 Configuration Analyzer can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect setting, service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or other configuration has prevented System Center 2012 R2 Configuration Analyzer from applying one or more rules during a scan. A prerequisite result does not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the scan results.

System Center 2012 R2Configuration Analyzer rules

The following table lists the rules by which hardware and software configurations are measured during a scan.

 

Rule name System Center 2012 R2 component Description

Website Authentication Check

App Controller

Checks that the App Controller website is set to anonymous authentication.

API Authentication Check

App Controller

Checks that the App Controller website is set to either basic or Windows integrated authentication.

Integrated Authentication Enabled

App Controller

Checks that single sign on is enabled.

App Controller and VMM installation location

App Controller

Checks that App Controller and VMMare installed on different servers.

Constrained Delegation Enabled

App Controller

Checks that constrained delegation is enabled.

Constrained Delegation Enabled to VMM Server

App Controller

Checks that constrained delegation is enabled to the VMM server.

Constrained Delegation Enabled to VMM Library Servers

App Controller

Checks that constrained delegation is enabled to the VMM Library servers.

Constrained delegation enabled to file shares

App Controller

Checks that constrained delegation is enabled to network file shares.

InstanceServiceStatusPreReqCheck

Configuration Manager

Checks that the SQL Server Instance service is running.

ManagementStudioPreReqCheck

Configuration Manager

Checks that Management Studio is available.

CurrentUserLoginPreReqCheck

Configuration Manager

Checks that the current logon exists and that the user is a member of the Systems Administrator role.

ServerAuthentication

Configuration Manager

Checks that the authentication mode is set to the recommended value. Windows Authentication is the default authentication mode and is more secure than SQL Server Authentication. Windows Authentication uses Kerberos security protocol, provides password-policy enforcement for complexity validation of password strength, provides support for account lockout, and supports password expiration.

ServerVersion

Configuration Manager

Checks that the SQL Server version is supported. If the SQL Server version is not supported, System Center 2012 R2 Configuration Manager cannot be installed.

ServerEdition

Configuration Manager

Checks that the SQL Server edition is supported. If the SQL Server edition is not supported, System Center 2012 R2 Configuration Manager cannot be installed.

DatabaseCollation

Configuration Manager

Checks that the SQL Server collation settings are supported. If the SQL Server collation settings are not supported, the System Center 2012 R2 Configuration Manager hierarchy cannot function properly.

InstanceNamePreReqCheck

Configuration Manager

Checks that the SQL Server instance exists.

AutoGrowEnabled

Data Protection Manager (DPM)

Checks that DPM volume autogrow is enabled for protection groups.

BandwidthThrottlingAtPS

Data Protection Manager (DPM)

Checks that network throttling is enabled on the protected computers.

BandwidthThrottlingAtServer

Data Protection Manager (DPM)

Checks that QoS Packet Scheduler is installed and enabled on the DPM server.

STCompressionData Protection Manager

Data Protection Manager (DPM)

Checks that compression for short-term tape backups is enabled.

LTCompression

Data Protection Manager (DPM)

Checks that compression for long-term tape backups is enabled.

OnWireCompression

Data Protection Manager (DPM)

Checks that on-the-wire compression is enabled.

DataThreshold

Data Protection Manager (DPM)

Checks that the total size of the protected data on the DPM server is less than 80 TB.

RecVolThreshold

Data Protection Manager (DPM)

Checks that the recovery point volume on the DPM server is less than 40 TB.

DPMDBBackup

Data Protection Manager (DPM)

Checks that the DPM database (DPMDB) is protected.

RecentDPMDBBackup

Data Protection Manager (DPM)

Checks that the DPM database (DPMDB) was backed up in the last seven days.

DiskUsageThresholdReached

Data Protection Manager (DPM)

Checks that the free disk space available in the DPM storage pool is greater than 20 percent of the total disk space.

EseUtilOff

Data Protection Manager (DPM)

Checks that the Exchange Server Database Utilities (Eseutil.exe) is enabled for protection groups.

FirewallEnabled

Data Protection Manager (DPM)

Checks that a firewall is enabled on the remote computer.

FreeSpaceOnSystemDisk

Data Protection Manager (DPM)

Checks that the volume that contains the DPM program files has more than 5 GB of free space.

LTODrive

Data Protection Manager (DPM)

Checks that the drivers for the LTO tape drive are correct. You should verify that the tape library is compatible with DPM. For more information, see Compatible Tape Libraries.

PageFile

Data Protection Manager (DPM)

Checks that the paging file is 0.2 percent of the size of all recovery point volumes combined, as required for DPM.

CCConflict

Data Protection Manager (DPM)

Checks that automatic consistency checks are scheduled to occur outside of business hours (8 A.M. to 6 P.M.).

EFBackupSchedule

Data Protection Manager (DPM)

Checks that the number of express backups scheduled per day is between one and three.

SQLSchedStatus

Data Protection Manager (DPM)

Checks whether any DPM jobs are failing. If so, this might be because the SQL Server Agent service that manages the DPM job scheduler is failing.

CheckServersMM

Operations Manager

Checks whether any management servers are in maintenance mode.

CheckServiceBroker

Operations Manager

Checks that SQL Broker service is enabled.

CheckDWSynchInstance

Operations Manager

Checks whether any DW Sync Server entries are missing.

CheckManagementServerDiskFreeSpace

Operations Manager

Checks that the server has at least one gigabyte of free space and 15% of free space.

CheckManagementServerRAM

Operations Manager

Checks that the management server has at least two gigabytes of RAM.

CheckManagementServerCpu

Operations Manager

Checks that the server has at least two logical CPUs.

CheckSQLDatabaseClustered

Operations Manager

Checks whether the SQL Server Instances are clustered.

CheckHighAvailabilityOfServers

Operations Manager

Checks whether the environment has only one management server, which does not support high availability.

CheckCoLocationWithSql

Operations Manager

Checks whether the management server and SQL database are on the same server.

CheckLicenseState

Operations Manager

Checks whether Operations Manager is within 180 day evaluation period.

Memory - RunbookServer

Orchestrator

Checks that the memory allocated to the runbook server is greater than 2048 MB. If the runbook server has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment.

Memory - WebComponentsServer

Orchestrator

Checks that the memory allocated to the Orchestration Console server is greater than 2048 MB. If the server has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment.

Memory - Designer

Orchestrator

Checks that the memory allocated to the Orchestrator Designer is greater than 2048 MB. If the computer has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment.

ManagementService_Logging

Orchestrator

Checks that the default trace logging for ManagementService.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs.

PermissionsConfig_Logging

Orchestrator

Checks that the default trace logging for PermissionsConfig.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs.

PolicyModule_Logging

Orchestrator

Checks that the default trace logging for PolicyModule.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs.

RunbookService_Logging

Orchestrator

Checks whether logging is enabled on runbooks. If you enable logging on frequently used runbooks, it might negatively impact performance. For information about logging, see Runbook Properties.

RunbookConcurrency

Orchestrator

Checks that the maximum number of concurrent runbooks configured to run on a runbook server is set to 50. A value other than 50 might negatively impact performance. For information about runbook throttling, see How to Configure Runbook Throttling.

IsOrchestratorDomainGroup

Orchestrator

Checks that the Windows group that is used to manage access to runbooks is configured as a domain group if the web components are not installed on the management server. The group must be a domain group in order for users to have access through the web service and Orchestration console when the web components are installed on a server separate from the management server. For information about how to configure the Orchestrator Users group, see How to Change the Orchestrator Users Group.

Logging

Orchestrator

Checks for errors in the Orchestrator BPA log file.

PurgeLog

Orchestrator

Checks that the log-purging value for runbooks is set to the default value, which is to run every day and keep the last 500 entries. For information about how to set the purging policy for runbook logs, see Runbook logs.

RefreshInterval

Orchestrator

Checks that the default refresh interval for generating the cache that provides access to runbooks from the Orchestration Console is set to 600 seconds. For information about how to set up the refresh cache, see Orchestrator.

RunbookLogging

Orchestrator

Checks whether common logging or activity-specific logging is enabled on runbooks.

Memory - ManagementServer

Orchestrator

Checks that the computer has the recommended 2048 MB of memory.

Stamp has Virtual Machine Manager (VMM) Server

Remote Console Connect

Checks that only one Virtual Machine Manager (VMM)server is mapped to a stamp.

Console connect enabled on Virtual Machine Manager (VMM) Server

Remote Console Connect

Checks that the Virtual Machine Manager (VMM)server is configured for console connect.

Virtualization hosts are configured for console connect

Remote Console Connect

Checks that each virtualization host supports and is configured for console connect.

Gateway configured for console connect

Remote Console Connect

Checks that the remote desktop gateway supports and is configured for console connect.

ChartTimeSliceSampleSize

Service Management Automation

Checks that the sample size of the time slice is not too large for dashboard chart rendering.

MaxJobRecords

Service Management Automation

Checks that the number of job records in the database does not exceed the maximum.

PurgeJobsOlderThanCountDays

Service Management Automation

Checks that jobs are not older than the count days.

IsSQLServerAgentRunning

Service Management Automation

Checks that the SQL server agent service is running.

IsWebServer

Service Management Automation

Checks that the Service Management Automation web service is installed.

CPUSize

Service Management Automation

Checks that the server CPU meets minimum requirements.

IsWebServerSSL

Service Management Automation

Checks that the Service Management Automation web service is using SSL.

IsUserInSmaAdminGroup

Service Management Automation

Checks that the runbook worker service is a member of the smaAdminGroup.

MemorySize

Service Management Automation

Checks that server memory meets minimum requirements.

IsRunbookLogging

Service Management Automation

Checks that runbook logging is enabled.

MaxRunningJobs

Service Management Automation

Checks that the number of running jobs has not exceeded the maximum allowed.

MaxRunningJobsPerWorker

Service Management Automation

Checks that the number of running jobs per worker server has not exceeded the maximum allowed.

IsWorkerServerDeployed

Service Management Automation

Checks that the Service Management Automation worker server is registered in the automation group.

IsWorkerServer

Service Management Automation

Checks that the Service Management Automation runbook worker service is installed.

CheckCubeProcessingFailures

Service Manager

Checks for cube-processing failures.

MemCheck

Service Provider Foundation

Checks that Service Provider Foundation is operating with a minimum of 4 GB of memory.

PageSizeConfig

Service Provider Foundation

Checks that the default Page Size value for Service Provider Foundation is 500. Any other setting might negatively impact performance.

SSLPort

Service Provider Foundation

Checks that Service Provider Foundation is configured to use its own port instead of the standard SSL port 443.

StampsScale

Service Provider Foundation

Checks that Service Provider Foundation supports five or fewer stamps.

SCSRResourceCapacityCheckFailure

Service Reporting

Checks that the target machine has the required RAM and hard drive capacity.

UserRoleScale

Service Provider Foundation

Checks that Service Provider Foundation stamps manage 500 or fewer user roles.

AdminShare

Virtual Machine Manager (VMM)

Checks the accessibility of the Admin$ share that failed on the specified server.

Bits

Virtual Machine Manager (VMM)

Checks that VMM is configured for Background Intelligent Transfer Service (BITS) using port 443 on the specified server and that no other program uses the same port.

DFL

Virtual Machine Manager (VMM)

Checks that the domain functional level is 2 or higher (2 = Windows Server 2003), which is the minimum required for VMM.

Forefront

Virtual Machine Manager (VMM)

Checks whether Microsoft Forefront Client Security is installed on the same server as VMM. If they are installed on the same server, high CPU usage over time might slow the server.

GPO

Virtual Machine Manager (VMM)

Checks for WinRM Group Policy settings that are not supported by VMM.

ICMP

Virtual Machine Manager (VMM)

Checks that the firewall configuration for the Internet Control Message Protocol (ICMP) setting "Allow inbound echo request" is enabled on the specified server.

KBCheck

Virtual Machine Manager (VMM)

Checks for a specified update or hotfix on the server.

SPN

Virtual Machine Manager (VMM)

Checks that the Service Principal Names (SPNs) that VMM requires were correctly registered when the VMM management server was set up on the specified server.

TwoGuidPaths

Virtual Machine Manager (VMM)

Checks whether the specified cluster node has more than one GUID path (one assigned by the host and one by the cluster) in at least one of the volumes. If there are two GUID paths, and you migrate a running virtual machine with snapshots to the specified cluster node, the operation will render the virtual machine configuration unusable.

WinRM

Virtual Machine Manager (VMM)

Checks that the specified server can be used for VMM server roles such as host, library, PXE server, WSUS server, or VMM management server. To verify that the WinRM service is present and running, run net start winrm at a command prompt using elevated privileges.

WMI

Virtual Machine Manager (VMM)

Checks that the Windows Management Instrumentation (WMI) virtualization store responds appropriately to a basic health test on the specified server.

Downloading and installing the System Center 2012 R2Configuration Analyzer model

To scan System Center 2012 R2 components, you must first download and install the System Center 2012 R2 Configuration Analyzer model. Models are what contain the set of best practice rules for evaluating an application (such as a server role, a service, a component, or other program) that runs on your computers. Models are not available with Baseline Configuration Analyzer, because they are separate, downloadable packages that can be produced either by Microsoft or by other manufacturers.

To download and install the System Center 2012 R2 Configuration Analyzer model

  1. Download the System Center 2012 R2 Configuration Analyzer model from the Microsoft Download Center.

  2. After the download completes, double-click the SC2012R2CA.msi file to run the setup wizard.

  3. Follow the instructions in the setup wizard to install the System Center 2012 R2 Configuration Analyzer model.

After the installation completes, you are ready to perform a scan of System Center 2012 R2 components.

Scanning System Center 2012 R2components

Scan System Center 2012 R2 components by using the System Center 2012 R2 Configuration Analyzer model within Microsoft Baseline Configuration Analyzer 2.0.

noteNote
In certain circumstances, System Center 2012 R2 Configuration Analyzer needs to query remote computers, such as SQL servers. This creates a “multi-hop” scenario that requires you to enable CredSSP on the remote computers to complete the scan. CredSSP is not required if you run the scan locally. System Center 2012 R2 Configuration Analyzer verifies whether CredSSP is required and then displays a message that tells you to either enable CredSSP or run the scan locally. If you enable CredSSP, make sure that you disable it after you run System Center 2012 R2 Configuration Analyzer. For information about how to enable CredSSP, see Enable-WSManCredSSP.

To scan components by using the System Center 2012 R2Configuration Analyzer model

  1. From the Start menu, right-click Microsoft Baseline Configuration Analyzer 2.0, and then click Run as administrator.

  2. On the Home page, select System Center 2012 R2 - Configuration Analyzer from the drop-down list.

  3. Do one of the following:

    • To scan the local host using the current user credentials, click Start Scan.

      noteNote
      If CredSSP is required, you must set the user credentials on the Enter Parameters page.

      System Center 2012 R2 Configuration Analyzer applies the appropriate rules based on the detected System Center 2012 R2 component(s) on the local host.

    • To specify additional parameters:

      1. On the Enter Parameters page, enter the name or IP address of the target computer(s) that you want to scan. Use a space, comma, or semicolon to separate multiple computer names. If you do not specify a target computer, the local host is scanned.

        noteNote
        • To scan components on one or more target computers, you must be a member of the Administrators group on the target computer(s) and you must have the appropriate permissions for the System Center 2012 R2 component(s).

        • If you are scanning a target computer that runs System Center 2012 - Orchestrator, the target computer must be a management server in order to apply the Orchestrator runbook server and web components rules.

        • The Configuration Manager rules determine whether the target computer meets the Configuration Manager installation requirements, and these rules are applied to the computer on which SQL Server is installed.

      2. On the Enter Parameters page, click Set User, and then enter the credentials that are required to connect to the computer(s) that will be scanned. If you do not specify credentials, the current user credentials are used.

        noteNote
        If CredSSP is required, you must click Set User and enter credentials.

      3. Click Start Scan.

        System Center 2012 R2 Configuration Analyzer applies the appropriate rules based on the detected System Center 2012 R2 component(s) on the target computer(s).

  4. Wait for the scan to finish. When the scan is finished, Baseline Configuration Analyzer 2.0 displays scan results on the View Report page.

For detailed information about how to view and manage scan results, click Help in Baseline Configuration Analyzer 2.0.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft