Configuration Analyzer for System Center 2012 R2
Updated: May 13, 2016
Applies To: System Center 2012 R2
System Center 2012 R2 Configuration Analyzer is your first line of defense for troubleshooting issues with System Center 2012 R2 server-side components. System Center 2012 R2 Configuration Analyzer is a diagnostic tool that you can use to evaluate important configuration settings for computers that run any of the following System Center 2012 R2 components:
App Controller
Configuration Manager
Data Protection Manager (DPM)
Operations Manager
Orchestrator (plus Service Provider Foundation)
Remote Console Connect
Service Management Automation
Service Manager
Service Reporting
Virtual Machine Manager (VMM)
Previously, if you wanted to analyze configuration settings for several System Center components you had to download and install separate best practice analyzers (BPAs) for each component. With the release of System Center 2012 R2, you can now use a single model (called the System Center 2012 R2 Configuration Analyzer model) within Microsoft Baseline Configuration Analyzer 2.0 that automatically detects and scans all System Center 2012 R2 server-side components.
System requirements and prerequisites
The following items must be pre-installed on the server or client computer on which System Center 2012 R2 Configuration Analyzer will be installed:
An operating system supported by System Center 2012 R2
For a list of supported operating systems, see Operating Systems - Server and Operating Systems - Client.
Note
System Center 2012 R2 Configuration Analyzer does not support Windows Server 2012 Core.
Microsoft Baseline Configuration Analyzer 2.0
You can download this from the Microsoft Download Center.
Note
You may run across references to version 2.1 of Microsoft Baseline Configuration Analyzer within System Center 2012 R2 Configuration Analyzer. This is incorrect. The correct version of Microsoft Baseline Configuration Analyzer is 2.0.
In addition, if you plan to scan any computers that will be used as SQL Server hosts for a Configuration Manager site database, you must have SQL Server pre-installed on those computers.
How System Center 2012 R2Configuration Analyzer works
System Center 2012 R2 Configuration Analyzer works within Microsoft Baseline Configuration Analyzer 2.0 to scan the hardware and software configurations of the computers that you specify and evaluate them against a set of predefined rules. Then it provides you with error messages and warnings for any configurations that are not optimal. System Center 2012 R2 Configuration Analyzer automatically detects all installed System Center 2012 R2 server-side components and evaluates them against the appropriate rules.
Note
System Center 2012 R2 Configuration Analyzer is designed to help you configure your computers for optimal performance based on a set of best-practice rules. Your computers might have some issues that System Center 2012 R2 Configuration Analyzer does not detect.
While rule violations, even critical ones, might not always cause problems, they do indicate issues that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.
Scan results can be any of the three severity levels described in the following table.
Severity level | Description |
---|---|
Noncompliant | The component does not satisfy the conditions of a rule. |
Compliant | The component satisfies the conditions of a rule. |
Warning | The component is compliant as it is operating currently, but might not satisfy the conditions of a rule if changes are not made to its configuration or policy settings. |
Rule categories
The following table lists the categories of rules by which hardware and software configurations are measured during a scan.
Category name | Description |
---|---|
Security | Security rules measure a component’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data. |
Performance | Performance rules measure a component’s ability to process requests and perform its prescribed duties, within time periods expected for the component’s workload. |
Configuration | Configuration rules identify component settings that might require modification for the component to perform optimally. Configuration rules can help prevent conflicts that can result in error messages or prevent the component from performing its prescribed duties. |
Policy | Policy rules identify Group Policy or Windows Registry settings that might require modification for the component to operate optimally and securely. |
Operation | Operation rules identify possible failures of a component to perform its prescribed duties. |
Postdeployment | Post-deployment rules are applied after all required services have started for a component, and the component is running in the enterprise. |
BPA Prerequisites | BPA Prerequisite rules explain configuration settings, policy settings, and features that are required for the component before System Center 2012 R2 Configuration Analyzer can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect setting, service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or other configuration has prevented System Center 2012 R2 Configuration Analyzer from applying one or more rules during a scan. A prerequisite result does not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the scan results. |
System Center 2012 R2Configuration Analyzer rules
The following table lists the rules by which hardware and software configurations are measured during a scan.
Rule name | System Center 2012 R2 component | Description |
---|---|---|
Website Authentication Check | App Controller | Checks that the App Controller website is set to anonymous authentication. |
API Authentication Check | App Controller | Checks that the App Controller website is set to either basic or Windows integrated authentication. |
Integrated Authentication Enabled | App Controller | Checks that single sign on is enabled. |
App Controller and VMM installation location | App Controller | Checks that App Controller and VMMare installed on different servers. |
Constrained Delegation Enabled | App Controller | Checks that constrained delegation is enabled. |
Constrained Delegation Enabled to VMM Server | App Controller | Checks that constrained delegation is enabled to the VMM server. |
Constrained Delegation Enabled to VMM Library Servers | App Controller | Checks that constrained delegation is enabled to the VMM Library servers. |
Constrained delegation enabled to file shares | App Controller | Checks that constrained delegation is enabled to network file shares. |
InstanceServiceStatusPreReqCheck | Configuration Manager | Checks that the SQL Server Instance service is running. |
ManagementStudioPreReqCheck | Configuration Manager | Checks that Management Studio is available. |
CurrentUserLoginPreReqCheck | Configuration Manager | Checks that the current logon exists and that the user is a member of the Systems Administrator role. |
ServerAuthentication | Configuration Manager | Checks that the authentication mode is set to the recommended value. Windows Authentication is the default authentication mode and is more secure than SQL Server Authentication. Windows Authentication uses Kerberos security protocol, provides password-policy enforcement for complexity validation of password strength, provides support for account lockout, and supports password expiration. |
ServerVersion | Configuration Manager | Checks that the SQL Server version is supported. If the SQL Server version is not supported, System Center 2012 R2Configuration Manager cannot be installed. |
ServerEdition | Configuration Manager | Checks that the SQL Server edition is supported. If the SQL Server edition is not supported, System Center 2012 R2Configuration Manager cannot be installed. |
DatabaseCollation | Configuration Manager | Checks that the SQL Server collation settings are supported. If the SQL Server collation settings are not supported, the System Center 2012 R2Configuration Manager hierarchy cannot function properly. |
InstanceNamePreReqCheck | Configuration Manager | Checks that the SQL Server instance exists. |
AutoGrowEnabled | Data Protection Manager (DPM) | Checks that DPM volume autogrow is enabled for protection groups. |
BandwidthThrottlingAtPS | Data Protection Manager (DPM) | Checks that network throttling is enabled on the protected computers. |
BandwidthThrottlingAtServer | Data Protection Manager (DPM) | Checks that QoS Packet Scheduler is installed and enabled on the DPM server. |
STCompressionData Protection Manager | Data Protection Manager (DPM) | Checks that compression for short-term tape backups is enabled. |
LTCompression | Data Protection Manager (DPM) | Checks that compression for long-term tape backups is enabled. |
OnWireCompression | Data Protection Manager (DPM) | Checks that on-the-wire compression is enabled. |
DataThreshold | Data Protection Manager (DPM) | Checks that the total size of the protected data on the DPM server is less than 80 TB. |
RecVolThreshold | Data Protection Manager (DPM) | Checks that the recovery point volume on the DPM server is less than 40 TB. |
DPMDBBackup | Data Protection Manager (DPM) | Checks that the DPM database (DPMDB) is protected. |
RecentDPMDBBackup | Data Protection Manager (DPM) | Checks that the DPM database (DPMDB) was backed up in the last seven days. |
DiskUsageThresholdReached | Data Protection Manager (DPM) | Checks that the free disk space available in the DPM storage pool is greater than 20 percent of the total disk space. |
EseUtilOff | Data Protection Manager (DPM) | Checks that the Exchange Server Database Utilities (Eseutil.exe) is enabled for protection groups. |
FirewallEnabled | Data Protection Manager (DPM) | Checks that a firewall is enabled on the remote computer. |
FreeSpaceOnSystemDisk | Data Protection Manager (DPM) | Checks that the volume that contains the DPM program files has more than 5 GB of free space. |
LTODrive | Data Protection Manager (DPM) | Checks that the drivers for the LTO tape drive are correct. You should verify that the tape library is compatible with DPM. For more information, see Compatible tape libraries. |
PageFile | Data Protection Manager (DPM) | Checks that the paging file is 0.2 percent of the size of all recovery point volumes combined, as required for DPM. |
CCConflict | Data Protection Manager (DPM) | Checks that automatic consistency checks are scheduled to occur outside of business hours (8 A.M. to 6 P.M.). |
EFBackupSchedule | Data Protection Manager (DPM) | Checks that the number of express backups scheduled per day is between one and three. |
SQLSchedStatus | Data Protection Manager (DPM) | Checks whether any DPM jobs are failing. If so, this might be because the SQL Server Agent service that manages the DPM job scheduler is failing. |
CheckServersMM | Operations Manager | Checks whether any management servers are in maintenance mode. |
CheckServiceBroker | Operations Manager | Checks that SQL Broker service is enabled. |
CheckDWSynchInstance | Operations Manager | Checks whether any DW Sync Server entries are missing. |
CheckManagementServerDiskFreeSpace | Operations Manager | Checks that the server has at least one gigabyte of free space and 15% of free space. |
CheckManagementServerRAM | Operations Manager | Checks that the management server has at least two gigabytes of RAM. |
CheckManagementServerCpu | Operations Manager | Checks that the server has at least two logical CPUs. |
CheckSQLDatabaseClustered | Operations Manager | Checks whether the SQL Server Instances are clustered. |
CheckHighAvailabilityOfServers | Operations Manager | Checks whether the environment has only one management server, which does not support high availability. |
CheckCoLocationWithSql | Operations Manager | Checks whether the management server and SQL database are on the same server. |
CheckLicenseState | Operations Manager | Checks whether Operations Manager is within 180 day evaluation period. |
Memory - RunbookServer | Orchestrator | Checks that the memory allocated to the runbook server is greater than 2048 MB. If the runbook server has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment. |
Memory - WebComponentsServer | Orchestrator | Checks that the memory allocated to the Orchestration Console server is greater than 2048 MB. If the server has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment. |
Memory - Designer | Orchestrator | Checks that the memory allocated to the Orchestrator Designer is greater than 2048 MB. If the computer has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment. |
ManagementService_Logging | Orchestrator | Checks that the default trace logging for ManagementService.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs. |
PermissionsConfig_Logging | Orchestrator | Checks that the default trace logging for PermissionsConfig.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs. |
PolicyModule_Logging | Orchestrator | Checks that the default trace logging for PolicyModule.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs. |
RunbookService_Logging | Orchestrator | Checks whether logging is enabled on runbooks. If you enable logging on frequently used runbooks, it might negatively impact performance. For information about logging, see Runbook Properties. |
RunbookConcurrency | Orchestrator | Checks that the maximum number of concurrent runbooks configured to run on a runbook server is set to 50. A value other than 50 might negatively impact performance. For information about runbook throttling, see How to Configure Runbook Throttling. |
IsOrchestratorDomainGroup | Orchestrator | Checks that the Windows group that is used to manage access to runbooks is configured as a domain group if the web components are not installed on the management server. The group must be a domain group in order for users to have access through the web service and Orchestration console when the web components are installed on a server separate from the management server. For information about how to configure the Orchestrator Users group, see How to Change the Orchestrator Users Group. |
Logging | Orchestrator | Checks for errors in the Orchestrator BPA log file. |
PurgeLog | Orchestrator | Checks that the log-purging value for runbooks is set to the default value, which is to run every day and keep the last 500 entries. For information about how to set the purging policy for runbook logs, see Runbook logs. |
RefreshInterval | Orchestrator | Checks that the default refresh interval for generating the cache that provides access to runbooks from the Orchestration Console is set to 600 seconds. For information about how to set up the refresh cache, see Orchestrator. |
RunbookLogging | Orchestrator | Checks whether common logging or activity-specific logging is enabled on runbooks. |
Memory - ManagementServer | Orchestrator | Checks that the computer has the recommended 2048 MB of memory. |
Stamp has Virtual Machine Manager (VMM) Server | Remote Console Connect | Checks that only one Virtual Machine Manager (VMM)server is mapped to a stamp. |
Console connect enabled on Virtual Machine Manager (VMM) Server | Remote Console Connect | Checks that the Virtual Machine Manager (VMM)server is configured for console connect. |
Virtualization hosts are configured for console connect | Remote Console Connect | Checks that each virtualization host supports and is configured for console connect. |
Gateway configured for console connect | Remote Console Connect | Checks that the remote desktop gateway supports and is configured for console connect. |
ChartTimeSliceSampleSize | Service Management Automation | Checks that the sample size of the time slice is not too large for dashboard chart rendering. |
MaxJobRecords | Service Management Automation | Checks that the number of job records in the database does not exceed the maximum. |
PurgeJobsOlderThanCountDays | Service Management Automation | Checks that jobs are not older than the count days. |
IsSQLServerAgentRunning | Service Management Automation | Checks that the SQL server agent service is running. |
IsWebServer | Service Management Automation | Checks that the Service Management Automation web service is installed. |
CPUSize | Service Management Automation | Checks that the server CPU meets minimum requirements. |
IsWebServerSSL | Service Management Automation | Checks that the Service Management Automation web service is using SSL. |
IsUserInSmaAdminGroup | Service Management Automation | Checks that the runbook worker service is a member of the smaAdminGroup. |
MemorySize | Service Management Automation | Checks that server memory meets minimum requirements. |
IsRunbookLogging | Service Management Automation | Checks that runbook logging is enabled. |
MaxRunningJobs | Service Management Automation | Checks that the number of running jobs has not exceeded the maximum allowed. |
MaxRunningJobsPerWorker | Service Management Automation | Checks that the number of running jobs per worker server has not exceeded the maximum allowed. |
IsWorkerServerDeployed | Service Management Automation | Checks that the Service Management Automation worker server is registered in the automation group. |
IsWorkerServer | Service Management Automation | Checks that the Service Management Automation runbook worker service is installed. |
CheckCubeProcessingFailures | Service Manager | Checks for cube-processing failures. |
MemCheck | Service Provider Foundation | Checks that Service Provider Foundation is operating with a minimum of 4 GB of memory. |
PageSizeConfig | Service Provider Foundation | Checks that the default Page Size value for Service Provider Foundation is 500. Any other setting might negatively impact performance. |
SSLPort | Service Provider Foundation | Checks that Service Provider Foundation is configured to use its own port instead of the standard SSL port 443. |
StampsScale | Service Provider Foundation | Checks that Service Provider Foundation supports five or fewer stamps. |
SCSRResourceCapacityCheckFailure | Service Reporting | Checks that the target machine has the required RAM and hard drive capacity. |
UserRoleScale | Service Provider Foundation | Checks that Service Provider Foundation stamps manage 500 or fewer user roles. |
AdminShare | Virtual Machine Manager (VMM) | Checks the accessibility of the Admin$ share that failed on the specified server. |
Bits | Virtual Machine Manager (VMM) | Checks that VMM is configured for Background Intelligent Transfer Service (BITS) using port 443 on the specified server and that no other program uses the same port. |
DFL | Virtual Machine Manager (VMM) | Checks that the domain functional level is 2 or higher (2 = Windows Server 2003), which is the minimum required for VMM. |
Forefront | Virtual Machine Manager (VMM) | Checks whether Microsoft Forefront Client Security is installed on the same server as VMM. If they are installed on the same server, high CPU usage over time might slow the server. |
GPO | Virtual Machine Manager (VMM) | Checks for WinRM Group Policy settings that are not supported by VMM. |
ICMP | Virtual Machine Manager (VMM) | Checks that the firewall configuration for the Internet Control Message Protocol (ICMP) setting "Allow inbound echo request" is enabled on the specified server. |
KBCheck | Virtual Machine Manager (VMM) | Checks for a specified update or hotfix on the server. |
SPN | Virtual Machine Manager (VMM) | Checks that the Service Principal Names (SPNs) that VMM requires were correctly registered when the VMM management server was set up on the specified server. |
TwoGuidPaths | Virtual Machine Manager (VMM) | Checks whether the specified cluster node has more than one GUID path (one assigned by the host and one by the cluster) in at least one of the volumes. If there are two GUID paths, and you migrate a running virtual machine with snapshots to the specified cluster node, the operation will render the virtual machine configuration unusable. |
WinRM | Virtual Machine Manager (VMM) | Checks that the specified server can be used for VMM server roles such as host, library, PXE server, WSUS server, or VMM management server. To verify that the WinRM service is present and running, run net start winrm at a command prompt using elevated privileges. |
WMI | Virtual Machine Manager (VMM) | Checks that the Windows Management Instrumentation (WMI) virtualization store responds appropriately to a basic health test on the specified server. |
Downloading and installing the System Center 2012 R2Configuration Analyzer model
To scan System Center 2012 R2 components, you must first download and install the System Center 2012 R2 Configuration Analyzer model. Models are what contain the set of best practice rules for evaluating an application (such as a server role, a service, a component, or other program) that runs on your computers. Models are not available with Baseline Configuration Analyzer, because they are separate, downloadable packages that can be produced either by Microsoft or by other manufacturers.
To download and install the System Center 2012 R2 Configuration Analyzer model
Download the System Center 2012 R2 Configuration Analyzer model from the Microsoft Download Center.
After the download completes, double-click the SC2012R2CA.msi file to run the setup wizard.
Follow the instructions in the setup wizard to install the System Center 2012 R2 Configuration Analyzer model.
After the installation completes, you are ready to perform a scan of System Center 2012 R2 components.
Scanning System Center 2012 R2components
Scan System Center 2012 R2 components by using the System Center 2012 R2 Configuration Analyzer model within Microsoft Baseline Configuration Analyzer 2.0.
Note
In certain circumstances, System Center 2012 R2 Configuration Analyzer needs to query remote computers, such as SQL servers. This creates a “multi-hop” scenario that requires you to enable CredSSP on the remote computers to complete the scan. CredSSP is not required if you run the scan locally. System Center 2012 R2 Configuration Analyzer verifies whether CredSSP is required and then displays a message that tells you to either enable CredSSP or run the scan locally. If you enable CredSSP, make sure that you disable it after you run System Center 2012 R2 Configuration Analyzer. For information about how to enable CredSSP, see Enable-WSManCredSSP.
To scan components by using the System Center 2012 R2Configuration Analyzer model
From the Start menu, right-click Microsoft Baseline Configuration Analyzer 2.0, and then click Run as administrator.
On the Home page, select System Center 2012 R2 - Configuration Analyzer from the drop-down list.
Do one of the following:
To scan the local host using the current user credentials, click Start Scan.
Note
If CredSSP is required, you must set the user credentials on the Enter Parameters page.
System Center 2012 R2 Configuration Analyzer applies the appropriate rules based on the detected System Center 2012 R2 component(s) on the local host.
To specify additional parameters:
On the Enter Parameters page, enter the name or IP address of the target computer(s) that you want to scan. Use a space, comma, or semicolon to separate multiple computer names. If you do not specify a target computer, the local host is scanned.
Note
- To scan components on one or more target computers, you must be a member of the Administrators group on the target computer(s) and you must have the appropriate permissions for the System Center 2012 R2 component(s).
- If you are scanning a target computer that runs System Center 2012 - Orchestrator, the target computer must be a management server in order to apply the Orchestrator runbook server and web components rules.
- The Configuration Manager rules determine whether the target computer meets the Configuration Manager installation requirements, and these rules are applied to the computer on which SQL Server is installed.
On the Enter Parameters page, click Set User, and then enter the credentials that are required to connect to the computer(s) that will be scanned. If you do not specify credentials, the current user credentials are used.
Note
If CredSSP is required, you must click Set User and enter credentials.
Click Start Scan.
System Center 2012 R2 Configuration Analyzer applies the appropriate rules based on the detected System Center 2012 R2 component(s) on the target computer(s).
Wait for the scan to finish. When the scan is finished, Baseline Configuration Analyzer 2.0 displays scan results on the View Report page.
For detailed information about how to view and manage scan results, click Help in Baseline Configuration Analyzer 2.0.