How to use the Best Practices Analyzer to test server roles

The Best Practices Analyzer integrated into Windows Server 2008 R2 can be instrumental in exposing potential trouble spots in your server deployment.

Given the complexity of the Windows Server 2008 R2 operating system it can be difficult to know whether a server is set up properly or if a step or two was skipped during server configuration. Taking some of the doubt out of that process is a tool Microsoft integrated into Windows Server 2008 R2 that allows admins to scan individual server roles to determine if they are configured according to Microsoft’s recommended best practices.

In Windows Server 2008 R2, Microsoft has created role-specific versions of the Best Practices Analyzer and integrated them into the Server Manager. The BPA can be accessed for a given role by opening the Server Manager and navigating through the console tree to Server Manager/Roles/ (the role that you want to analyze). When opened, the BPA is listed within the role’s Summary section (Figure 1).

Figure 1: Role specific versions (click to enlarge)
BPA role specific versions

In order to test a role to ensure it meets with Microsoft’s best practices, simply click the "Scan This Role" link, shown in the figure above. The duration of the scan varies depending on the role you have selected and on the speed of the Internet connection. In most cases however, the scan should complete in under a minute. When the scan completes the scan results are displayed within the BPA frame (Figure 2).

Figure 2: Scan results (click to enlarge)
BPA scan results

The scan itself is based on a series of rules. The BPA compares the role’s configuration against the various rules to determine if the server is compliant with each rule. For example, the figure above shows the scan revealed the server was compliant with 32 rules and noncompliant with 9 rules. The console displays compliant and noncompliant rules in separate tabs for easier viewing.

In the previous figure the list of noncompliant rules is broken down into a series of errors and warnings. As expected, warnings are less severe than errors. For example, some of the warnings generated during a scan could include:

  • All domains should have at least two functioning domain controllers for redundancy.
  • The directory partition DC=Lab, DC=COM should have been backed up in the last 6 days.
  • All OUs in this domain should be protected from accidental deletion.

The error message that was displayed during the scan indicated that the PDC emulator master Lab-DC.lab.com in this forest should be configured to correctly synchronize the time from a valid time source.

All of the issues listed would be relatively serious if this were not a lab server. So what makes the error more serious than the warnings? The Kerberos protocol uses time stamps during the authentication process. If the clocks fall out of sync then the entire Active Directory can break down. That’s why the time sync issue was listed as an error rather than as a warning.

Double-clicking on the error will display a detailed summary and resolution for the error (Figure 3).

Figure 3: Detail and resolution
BPA detail and resolution

There may be some noncompliant rules that don't apply to an admin's circumstances.

In these types of situations, users can exclude a rule from the results list by selecting the rule and clicking the Exclude Result link. This causes the error or warning to be removed from the Noncompliant tab and added to the Excluded tab. To add the result back to the Noncompliant tab, go to the Excluded" tab, select the error or warning and click the "Include Result" button.

The BPA makes it easy to correct any role specific configuration problems. However, addressing configuration problems is not a one-time task. After admins fix any issues that have been reported, it should be a priority to periodically rescan each role, because Microsoft is known to change its recommended best practices from time to time.

Brien M. Posey
, MCSE, has previously received Microsoft's MVP award for Exchange Server, Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. You can visit Brien's personal website at www.brienposey.com.

Dig Deeper on Windows Server troubleshooting