Configuration Analyzer for System Center 2012 SP1

 

Updated: May 13, 2016

Applies To: System Center 2012 SP1

System Center 2012 SP1 Configuration Analyzer is your first line of defense for troubleshooting issues with System Center 2012 SP1 server-side components. System Center 2012 SP1 Configuration Analyzer is a diagnostic tool that you can use to evaluate important configuration settings for computers that run any of the following System Center 2012 SP1 components:

  • Operations Manager

  • Virtual Machine Manager (VMM)

  • Service Manager

  • Orchestrator (plus Service Provider Foundation)

  • Configuration Manager

  • Data Protection Manager (DPM)

Previously, if you wanted to analyze configuration settings for several System Center components you had to download and install separate best practice analyzers (BPAs) for each component. With the release of System Center 2012 SP1, you can now use a single model (called the System Center 2012 SP1 Configuration Analyzer model) within Microsoft Baseline Configuration Analyzer 2.0 that automatically detects and scans all System Center 2012 SP1 server-side components.

The following items must be pre-installed on the server or client computer on which System Center 2012 SP1 Configuration Analyzer will be installed:

  • An operating system supported by System Center 2012 SP1

    For a list of supported operating systems, see Operating Systems - Server and Operating Systems - Client.

    System_CAPS_ICON_note.jpg Note

    System Center 2012 SP1 Configuration Analyzer does not support Windows Server 2012 Core.

  • Microsoft Baseline Configuration Analyzer 2.0

    You can download this from the Microsoft Download Center.

    System_CAPS_ICON_note.jpg Note

    You may run across references to version 2.1 of Microsoft Baseline Configuration Analyzer within System Center 2012 SP1 Configuration Analyzer. This is incorrect. The correct version of Microsoft Baseline Configuration Analyzer is 2.0.

In addition, if you plan to scan any computers that will be used as SQL Server hosts for a Configuration Manager site database, you must have SQL Server pre-installed on those computers.

System Center 2012 SP1 Configuration Analyzer works within Microsoft Baseline Configuration Analyzer 2.0 to scan the hardware and software configurations of the computers that you specify and evaluate them against a set of predefined rules. Then it provides you with error messages and warnings for any configurations that are not optimal. System Center 2012 SP1 Configuration Analyzer automatically detects all installed System Center 2012 SP1 server-side components and evaluates them against the appropriate rules.

System_CAPS_ICON_note.jpg Note

System Center 2012 SP1 Configuration Analyzer is designed to help you configure your computers for optimal performance based on a set of best-practice rules. Your computers might have some issues that System Center 2012 SP1 Configuration Analyzer does not detect.

While rule violations, even critical ones, might not always cause problems, they do indicate issues that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.

Scan results can be any of the three severity levels described in the following table.

Severity levelDescription
NoncompliantThe component does not satisfy the conditions of a rule.
CompliantThe component satisfies the conditions of a rule.
WarningThe component is compliant as it is operating currently, but might not satisfy the conditions of a rule if changes are not made to its configuration or policy settings.

Rule categories

The following table lists the categories of rules by which hardware and software configurations are measured during a scan.

Category nameDescription
SecuritySecurity rules measure a component’s relative risk for exposure to threats such as unauthorized or malicious users, or loss or theft of confidential or proprietary data.
PerformancePerformance rules measure a component’s ability to process requests and perform its prescribed duties, within time periods expected for the component’s workload.
ConfigurationConfiguration rules identify component settings that might require modification for the component to perform optimally. Configuration rules can help prevent conflicts that can result in error messages or prevent the component from performing its prescribed duties.
PolicyPolicy rules identify Group Policy or Windows Registry settings that might require modification for the component to operate optimally and securely.
OperationOperation rules identify possible failures of a component to perform its prescribed duties.
PostdeploymentPost-deployment rules are applied after all required services have started for a component, and the component is running in the enterprise.
BPA PrerequisitesBPA Prerequisite rules explain configuration settings, policy settings, and features that are required for the component before System Center 2012 SP1 Configuration Analyzer can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect setting, service, or feature, an incorrectly enabled or disabled policy, a registry key setting, or other configuration has prevented System Center 2012 SP1 Configuration Analyzer from applying one or more rules during a scan. A prerequisite result does not imply compliance or noncompliance. It means that a rule could not be applied, and therefore is not part of the scan results.

System Center 2012 SP1 Configuration Analyzer rules

The following table lists the rules by which hardware and software configurations are measured during a scan.

Rule nameSystem Center 2012 SP1 componentDescription
InstanceServiceStatusPreReqCheckConfiguration ManagerChecks that the SQL Server Instance service is running.
ManagementStudioPreReqCheckConfiguration ManagerChecks that Management Studio is available.
CurrentUserLoginPreReqCheckConfiguration ManagerChecks that the current logon exists and that the user is a member of the Systems Administrator role.
ServerAuthenticationConfiguration ManagerChecks that the authentication mode is set to the recommended value. Windows Authentication is the default authentication mode and is more secure than SQL Server Authentication. Windows Authentication uses Kerberos security protocol, provides password-policy enforcement for complexity validation of password strength, provides support for account lockout, and supports password expiration.
ServerVersionConfiguration ManagerChecks that the SQL Server version is supported. If the SQL Server version is not supported, System Center 2012 SP1Configuration Manager cannot be installed.
ServerEditionConfiguration ManagerChecks that the SQL Server edition is supported. If the SQL Server edition is not supported, System Center 2012 SP1Configuration Manager cannot be installed.
DatabaseCollationConfiguration ManagerChecks that the SQL Server collation settings are supported. If the SQL Server collation settings are not supported, the System Center 2012 SP1Configuration Manager hierarchy cannot function properly.
InstanceNamePreReqCheckConfiguration ManagerChecks that the SQL Server instance exists.
AutoGrowEnabledData Protection Manager (DPM)Checks that DPM volume autogrow is enabled for protection groups.
BandwidthThrottlingAtPSData Protection Manager (DPM)Checks that network throttling is enabled on the protected computers.
BandwidthThrottlingAtServerData Protection Manager (DPM)Checks that QoS Packet Scheduler is installed and enabled on the DPM server.
STCompressionData Protection ManagerData Protection Manager (DPM)Checks that compression for short-term tape backups is enabled.
LTCompressionData Protection Manager (DPM)Checks that compression for long-term tape backups is enabled.
OnWireCompressionData Protection Manager (DPM)Checks that on-the-wire compression is enabled.
DataThresholdData Protection Manager (DPM)Checks that the total size of the protected data on the DPM server is less than 80 TB.
RecVolThresholdData Protection Manager (DPM)Checks that the recovery point volume on the DPM server is less than 40 TB.
DPMDBBackupData Protection Manager (DPM)Checks that the DPM database (DPMDB) is protected.
RecentDPMDBBackupData Protection Manager (DPM)Checks that the DPM database (DPMDB) was backed up in the last seven days.
DiskUsageThresholdReachedData Protection Manager (DPM)Checks that the free disk space available in the DPM storage pool is greater than 20 percent of the total disk space.
EseUtilOffData Protection Manager (DPM)Checks that the Exchange Server Database Utilities (Eseutil.exe) is enabled for protection groups.
FirewallEnabledData Protection Manager (DPM)Checks that a firewall is enabled on the remote computer.
FreeSpaceOnSystemDiskData Protection Manager (DPM)Checks that the volume that contains the DPM program files has more than 5 GB of free space.
LTODriveData Protection Manager (DPM)Checks that the drivers for the LTO tape drive are correct. You should verify that the tape library is compatible with DPM. For more information, see Compatible tape libraries.
PageFileData Protection Manager (DPM)Checks that the paging file is 0.2 percent of the size of all recovery point volumes combined, as required for DPM.
CCConflictData Protection Manager (DPM)Checks that automatic consistency checks are scheduled to occur outside of business hours (8 A.M. to 6 P.M.).
EFBackupScheduleData Protection Manager (DPM)Checks that the number of express backups scheduled per day is between one and three.
SQLSchedStatusData Protection Manager (DPM)Checks whether any DPM jobs are failing. If so, this might be because the SQL Server Agent service that manages the DPM job scheduler is failing.
CheckServersMMOperations ManagerChecks whether any management servers are in maintenance mode.
CheckServiceBrokerOperations ManagerChecks that SQL Broker service is enabled.
CheckDWSynchInstanceOperations ManagerChecks whether any DW Sync Server entries are missing.
Memory - RunbookServerOrchestratorChecks that the memory allocated to the runbook server is greater than 2048 MB. If the runbook server has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment.
Memory - WebComponentsServerOrchestratorChecks that the memory allocated to the Orchestration Console server is greater than 2048 MB. If the server has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment.
Memory - DesignerOrchestratorChecks that the memory allocated to the Orchestrator Designer is greater than 2048 MB. If the computer has less than 2048 MB, you should monitor its performance to ensure that it meets the expected goals in the environment.
ManagementService_LoggingOrchestratorChecks that the default trace logging for ManagementService.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs.
PermissionsConfig_LoggingOrchestratorChecks that the default trace logging for PermissionsConfig.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs.
PolicyModule_LoggingOrchestratorChecks that the default trace logging for PolicyModule.exe is set to the default value of 1. A value other than 1 might negatively impact performance. For information about how to configure trace logs, see Trace Logs.
RunbookService_LoggingOrchestratorChecks whether logging is enabled on runbooks. If you enable logging on frequently used runbooks, it might negatively impact performance. For information about logging, see Runbook Properties.
RunbookConcurrencyOrchestratorChecks that the maximum number of concurrent runbooks configured to run on a runbook server is set to 50. A value other than 50 might negatively impact performance. For information about runbook throttling, see How to Configure Runbook Throttling.
IsOrchestratorDomainGroupOrchestratorChecks that the Windows group that is used to manage access to runbooks is configured as a domain group if the web components are not installed on the management server. The group must be a domain group in order for users to have access through the web service and Orchestration console when the web components are installed on a server separate from the management server. For information about how to configure the Orchestrator Users group, see How to Change the Orchestrator Users Group.
LoggingOrchestratorChecks for errors in the Orchestrator BPA log file.
PurgeLogOrchestratorChecks that the log-purging value for runbooks is set to the default value, which is to run every day and keep the last 500 entries. For information about how to set the purging policy for runbook logs, see Runbook logs.
RefreshIntervalOrchestratorChecks that the default refresh interval for generating the cache that provides access to runbooks from the Orchestration Console is set to 600 seconds. For information about how to set up the refresh cache, see Orchestrator.
RunbookLoggingOrchestratorChecks whether common logging or activity-specific logging is enabled on runbooks.
Memory - ManagementServerOrchestratorChecks that the computer has the recommended 2048 MB of memory.
CheckCubeProcessingFailuresService ManagerChecks for cube-processing failures.
MemCheckService Provider FoundationChecks that Service Provider Foundation is operating with a minimum of 4 GB of memory.
PageSizeConfigService Provider FoundationChecks that the default Page Size value for Service Provider Foundation is 500. Any other setting might negatively impact performance.
SSLPortService Provider FoundationChecks that Service Provider Foundation is configured to use its own port instead of the standard SSL port 443.
StampsScaleService Provider FoundationChecks that Service Provider Foundation supports five or fewer stamps.
UserRoleScaleService Provider FoundationChecks that Service Provider Foundation stamps manage 500 or fewer user roles.
AdminShareVirtual Machine Manager (VMM)Checks the accessibility of the Admin$ share that failed on the specified server.
BitsVirtual Machine Manager (VMM)Checks that VMM is configured for Background Intelligent Transfer Service (BITS) using port 443 on the specified server and that no other program uses the same port.
DFLVirtual Machine Manager (VMM)Checks that the domain functional level is 2 or higher (2 = Windows Server 2003), which is the minimum required for VMM.
ForefrontVirtual Machine Manager (VMM)Checks whether Microsoft Forefront Client Security is installed on the same server as VMM. If they are installed on the same server, high CPU usage over time might slow the server.
GPOVirtual Machine Manager (VMM)Checks for WinRM Group Policy settings that are not supported by VMM.
ICMPVirtual Machine Manager (VMM)Checks that the firewall configuration for the Internet Control Message Protocol (ICMP) setting "Allow inbound echo request" is enabled on the specified server.
KBCheckVirtual Machine Manager (VMM)Checks for a specified update or hotfix on the server.
SPNVirtual Machine Manager (VMM)Checks that the Service Principal Names (SPNs) that VMM requires were correctly registered when the VMM management server was set up on the specified server.
TwoGuidPathsVirtual Machine Manager (VMM)Checks whether the specified cluster node has more than one GUID path (one assigned by the host and one by the cluster) in at least one of the volumes. If there are two GUID paths, and you migrate a running virtual machine with snapshots to the specified cluster node, the operation will render the virtual machine configuration unusable.
WinRMVirtual Machine Manager (VMM)Checks that the specified server can be used for VMM server roles such as host, library, PXE server, WSUS server, or VMM management server. To verify that the WinRM service is present and running, run net start winrm at a command prompt using elevated privileges.
WMIVirtual Machine Manager (VMM)Checks that the Windows Management Instrumentation (WMI) virtualization store responds appropriately to a basic health test on the specified server.

To scan System Center 2012 SP1 components, you must first download and install the System Center 2012 SP1 Configuration Analyzer model. Models are what contain the set of best practice rules for evaluating an application (such as a server role, a service, a component, or other program) that runs on your computers. Models are not available with Baseline Configuration Analyzer, because they are separate, downloadable packages that can be produced either by Microsoft or by other manufacturers.

To download and install the System Center 2012 SP1 Configuration Analyzer model

  1. Download the System Center 2012 SP1 Configuration Analyzer model from the Microsoft Download Center.

  2. After the download completes, double-click the SC2012SP1CA.msi file to run the setup wizard.

  3. Follow the instructions in the setup wizard to install the System Center 2012 SP1 Configuration Analyzer model.

After the installation completes, you are ready to perform a scan of System Center 2012 SP1 components.

Scan System Center 2012 SP1 components by using the System Center 2012 SP1 Configuration Analyzer model within Microsoft Baseline Configuration Analyzer 2.0.

System_CAPS_ICON_note.jpg Note

In certain circumstances, System Center 2012 SP1 Configuration Analyzer needs to query remote computers, such as SQL servers. This creates a “multi-hop” scenario that requires you to enable CredSSP on the remote computers to complete the scan. CredSSP is not required if you run the scan locally. System Center 2012 SP1 Configuration Analyzer verifies whether CredSSP is required and then displays a message that tells you to either enable CredSSP or run the scan locally. If you enable CredSSP, make sure that you disable it after you run System Center 2012 SP1 Configuration Analyzer. For information about how to enable CredSSP, see Enable-WSManCredSSP.

To scan components by using the System Center 2012 SP1 Configuration Analyzer model

  1. From the Start menu, right-click Microsoft Baseline Configuration Analyzer 2.0, and then click Run as administrator.

  2. On the Home page, select System Center 2012 SP1 - Configuration Analyzer from the drop-down list.

  3. Do one of the following:

    • To scan the local host using the current user credentials, click Start Scan.

      System_CAPS_ICON_note.jpg Note

      If CredSSP is required, you must set the user credentials on the Enter Parameters page.

      System Center 2012 SP1 Configuration Analyzer applies the appropriate rules based on the detected System Center 2012 SP1 component(s) on the local host.

    • To specify additional parameters:

      1. On the Enter Parameters page, enter the name or IP address of the target computer(s) that you want to scan. Use a space, comma, or semicolon to separate multiple computer names. If you do not specify a target computer, the local host is scanned.

        System_CAPS_ICON_note.jpg Note

        • To scan components on one or more target computers, you must be a member of the Administrators group on the target computer(s) and you must have the appropriate permissions for the System Center 2012 SP1 component(s).
        • If you are scanning a target computer that runs System Center 2012 - Orchestrator, the target computer must be a management server in order to apply the Orchestrator runbook server and web components rules.
        • The Configuration Manager rules determine whether the target computer meets the Configuration Manager installation requirements, and these rules are applied to the computer on which SQL Server is installed.
      2. On the Enter Parameters page, click Set User, and then enter the credentials that are required to connect to the computer(s) that will be scanned. If you do not specify credentials, the current user credentials are used.

        System_CAPS_ICON_note.jpg Note

        If CredSSP is required, you must click Set User and enter credentials.

      3. Click Start Scan.

        System Center 2012 SP1 Configuration Analyzer applies the appropriate rules based on the detected System Center 2012 SP1 component(s) on the target computer(s).

  4. Wait for the scan to finish. When the scan is finished, Baseline Configuration Analyzer 2.0 displays scan results on the View Report page.

For detailed information about how to view and manage scan results, click Help in Baseline Configuration Analyzer 2.0.

Show: