Using the Microsoft Windows Small Business Server 2011 Standard Best Practices Analyzer

  • Article

Published: December 3, 2010

Applies To: Windows Small Business Server 2011 Essentials, Windows Small Business Server 2011 Standard

This document provides information about Microsoft Windows Small Business Server 2011 Best Practices Analyzer (Microsoft Windows SBS 2011 BPA), and it includes the following topics:

  • Overview of Microsoft Windows SBS 2011 BPA

  • Requirements for running Microsoft Windows SBS 2011 BPA

  • Running a Microsoft Windows SBS 2011 BPA scan

  • Viewing the results of a Microsoft Windows SBS 2011 BPA scan

  • Additional technical information

Overview of Microsoft Windows SBS 2011 BPA

Microsoft Windows SBS 2011 BPA is a diagnostic tool that is built on the Microsoft Baseline Configuration Analyzer (MBCA) technology. Microsoft Windows SBS 2011 BPA scans a computer that is running the Windows SBS 2011 server software, and compares the existing server settings to a predefined set of recommended best practices. After you run a scan, the results are reported on the View Report page of the MBCA user interface. You can also choose to display BPA scan results in the Windows SBS Console when you install Microsoft Windows SBS 2011 BPA.

Microsoft Windows SBS 2011 BPA performs the following tasks:

  • Gathers information about a computer that is running the Windows Small Business Server 2011 server software

  • Determines if the server settings comply with a set of best practices that are recommended by Microsoft

  • Provides a report of the scan results, which identifies variances from the recommended best practices

  • Identifies conditions that may lead to problems with the server

  • Recommends solutions to potential problems

Each Windows Small Business Server 2011 BPA scan report provides the following information:

  • List of Compliant results when the server satisfies the conditions of the best practices rules.

  • List of Noncompliant results when the server does not satisfy the conditions of the best practices rules.

  • Impact of noncompliant issues to the server or network

  • Recommendations for fixing noncompliant issues

Return to top

Requirements for running Microsoft Windows SBS 2011 BPA

  • You must be logged on to the server with a user account that has Network Administrator permissions.

  • Microsoft Baseline Configuration Analyzer 2.0 (MBCA 2.0) must be installed on the server and on any computer from which you initiate a BPA scan.

  • Microsoft Windows SBS 2011 BPA must be installed on the server.

To install Microsoft Baseline Configuration Analyzer 2.0

  1. Go to the download site for Microsoft Baseline Configuration Analyzer 2.0 at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=188529) and choose one of the following setup files:

    • If you will run the BPA from the server or from another computer that is running a 64-bit version of Windows, download the installation file named MBCA_Setup64.msi. Windows SBS 2011 is a 64-bit server, and it requires this file.

    • If you will run the BPA from a computer that is running a 32-bit version of Windows, download the installation file named MBCA_Setup32.msi.

Note

To determine which version of Windows a computer is running:

  • If the computer is running Windows 7, click the Start button, type msinfo32.exe in the search box, and then press ENTER. See the version located in the System Type field.

  • If the computer is running Windows Vista or Windows XP, click Start, click Run, type msinfo32.exe, and then press ENTER. See the version located in the System Type field.

  1. Save the file to the computer, to a removable storage device (such as a USB flash drive), or to storage media (such as a CD).

  2. From the server or from a computer that you will use to run Microsoft Windows SBS 2011 BPA, open the location where you saved the installation file, and then double-click the file name.

  3. Follow the instructions in the Microsoft Baseline Configuration Analyzer 2.0 Wizard to complete the installation.

To install Microsoft Windows SBS 2011 BPA on the server

  1. If you have not done so already, follow the previous instructions to install MBCA 2.0.

  2. Go to the download site for Microsoft Windows SBS 2011 BPA at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=206767).

  3. Download the file named BPASetup.msi and save it to a location on the server that you want to scan.

  4. From the server that you want to scan, open the location where you saved the setup file, and then double-click the file name.

  5. On the Prepare to install the Microsoft Windows SBS 2011 Best Practices Analyzer page of the setup wizard, you can choose to accept or clear the following options:

    • Enable remote BPA scan of this server   This option enables network administrators to initiate a BPA scan while logged on to the server from a remote computer. This option is selected by default. Clear this option if you do not want to scan the server from a remote computer.

Note

If you do not choose the Enable remote BPA scan on this server option, you cannot run a BPA scan from another computer.
For more information about how to enable or disable remote scans after you install Microsoft Windows SBS 2011 BPA, see Additional technical information later in this topic. 

  - **Integrate Microsoft Windows SBS 2011 BPA scan results into the Windows SBS Console**   When you select this option, a BPA scan is run on the server each day, and the scan results appear in the **Other Alerts** section of the Windows SBS Console. This option is selected by default. Clear this option if you do not want to integrate BPA scan results into the Windows SBS Console.
  1. Follow the instructions in the wizard to complete setup.

Return to top

Running a Microsoft Windows SBS 2011 BPA scan

You can initiate a Microsoft Windows SBS 2011 BPA scan in the following ways:

  • Run a Microsoft Windows SBS 2011 BPA scan on a local server

  • Run a Microsoft Windows SBS 2011 BPA scan on a remote server

To run a Microsoft Windows SBS 2011 BPA scan on a local server

  1. Click Start, click All Programs, and then click Windows Small Business Server 2011 Tools.

  2. Right-click Microsoft Windows Small Business Server 2011 Best Practices Analyzer, and then click Run as administrator.

  3. On the Home page of the MBCA, select Windows Small Business Server 2011 BPA in the drop-down list.

  4. Click Start Scan.

To run a Microsoft Windows SBS 2011 BPA scan on a remote server

  1. If you have not done so already, install MBCA 2.0 on the computer from which you will initiate a BPA scan. For instructions, see To install Microsoft Baseline Configuration Analyzer 2.0 earlier in this document.

  2. Log on to the computer from which you will initiate the BPA scan.

  3. Click Start, and then click Microsoft Baseline Configuration Analyzer 2.0.

  4. On the Home page of the MBCA, click Connect to Another Computer.

  5. In the Connect to Another Computer dialog box, select Another computer, and then type the name or the IP address of the remote server that you want to scan.

  6. Select Connect as another user, and then click Set User.”

  7. In the Windows Security dialog box, type the authentication information for a user account that has Network Administrator permissions for the server that you want to scan, and then click OK.

  8. After you connect to the server, go to Home page of the MBCA, and select Windows Small Business Server 2011 BPA in the drop-down list.

  9. Click Start Scan.

If you want to run a BPA scan from a computer that is not joined to the network, you must first add the server as a trusted host for that computer as follows:

To add the server running Windows SBS 2011 as a trusted host for a computer

  1. Log on to the computer that is not joined to the network.

  2. Open a Command Prompt window, type the following command, and then press ENTER.

    WinRM quickconfig

  3. After you complete the command in step 2, type the following command, and then press ENTER.

    winrm set winrm/config/client @{TrustedHosts="ServerName"}

    where ServerName is the name of the server that you want to scan.

    For example, if you want add a server named “Contoso” as a trusted host for a computer, type the following command:

    winrm set winrm/config/client @{TrustedHosts="Contoso"}

Return to top

Viewing the results of a Microsoft Windows SBS 2011 BPA scan

You can access the results of a Microsoft Windows SBS 2011 BPA scan from the View Report page of MBCA 2.0. Two types of reports are available:

  • Results   The Results report provides a detailed list of scanned items such as compliances, errors, and warnings. To retrieve information about a specific scan item, double-click an item in the list.

  • Collected Data   The information in this report type does not currently apply for Microsoft Windows SBS 2011 BPA users.

The Results report categorizes scanned items and displays the items on one of the following page tabs:

  • Noncompliant: Lists the errors or warnings that the Microsoft Windows SBS 2011 BPA scan generated.

  • All: Lists all errors, warnings, and compliances.

Scanned items that are categorized as Noncompliant include the following additional information:

  • Category   Identifies the category of the rule. Rule categories include Security, Performance, Operation, Policy, Configuration, Predeployment, or Prerequisite.

  • Source   Provides the identification code for the rule.

  • Issue   Lists a detailed description of the symptom.

  • Resolution   Provides the recommended actions that you can take to resolve the issue.

Return to top

Additional technical information

Log files for Microsoft Windows SBS 2011 BPA

Microsoft Windows SBS 2011 BPA Setup creates two log files to track BPA events. The log files are located at %programdata%\Microsoft\Windows Small Business Server Tools\Windows Small Business Server 2011 BPA. The files are:

  • BPA.log   Tracks events that occur during the process of using Microsoft Windows SBS 2011 BPA or performing scans.

  • BPAUpdate.log   Tracks events related to searching for, downloading, and installing updates for Microsoft Windows SBS 2011 BPA.

Enabling remote scans

Microsoft Windows SBS 2011 BPA Setup enables remote scans by default. However, you may not be able to run a BPA scan from a remote computer if any of the following occurred:

  • You cleared the Enable Remote BPA scan on this server option during Microsoft Windows SBS 2011 BPA Setup.

  • You encountered an error during Microsoft Windows SBS 2011 BPA Setup.

  • You manually disabled remote scans after completing Microsoft Windows SBS 2011 BPA Setup.

If you installed MBCA 2.0 on a remote computer, but you cannot initiate a BPA scan from that computer, you must manually enable remote BPA scans as follows:

To manually enable remote BPA scans

  1. Log on to the server running Windows SBS 2011 with a user account that has Network Administrator permissions.

  2. Open a Windows PowerShell session with elevated user rights. To do this, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click the Windows PowerShell object, and then click Run as administrator.

  3. At the Windows PowerShell command prompt, type Enable-PSRemoting –f, and then press ENTER.

Disabling remote scans

If you enabled remote BPA scans when you installed Microsoft Windows SBS 2011 BPA, remotes scans are automatically disabled when you uninstall the tool. However, if you used the Enable-PSRemoting -f command in Windows PowerShell to manually enable remote scans, uninstalling Microsoft Windows SBS 2011 BPA from the server does not automatically disable the remoting abilities in Windows PowerShell. This is because there might be other applications that are using the PSRemoting feature. If you need to disable the PSRemoting feature, perform the following steps:

To disable PSRemoting

  1. Log on to the server running Windows SBS 2011 with a user account that has Network Administrator permissions.

  2. Open a Windows PowerShell session with elevated user rights. To do this, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click the Windows PowerShell object, and then click Run as administrator.

  3. At the Windows PowerShell command prompt, type Disable-PSRemoting –f, and then press ENTER.

The Disable-PSRemoting -f command does not undo all of the changes that were made by the Enable-PSRemoting -f command. To manually undo all of these changes perform the following steps:

To undo changes made by the Enable-PSRemoting –f command

  1. Click Start, point to Administrative Tools, and then click Services.

  2. In the list of services, right-click Windows Remote Management (WS-Management), and then click Properties.

  3. On the General tab of the Windows Remote Management (WS-Management) Properties page, click Stop.

  4. After the service stops, click the Startup type list, select Disabled, and then click OK.

  5. Log on to the computer running Windows SBS 2011.

  6. Open the Windows Firewall in Control Panel. To do this, click Start, click Control Panel, click System and Security, and then click Check firewall status.

  7. Click Allow a program or feature through Windows Firewall.

  8. On the Allowed Programs page, click Change settings.

  9. In the list of allowed programs and features, clear the check box for Windows Remote Management, and then click OK to save your changes.

Return to top