Tuesday, February 26, 2013

System Center 2012 SP1 Server-side Components Trouble Shooting Tool

Some days ago Microsoft released a tool targeted at troubleshooting System Center 2012 SP1 Server-side components, System Center 2012 SP1 Configuration Analyzer. This tool is an add-on for Microsoft Baseline Configuration Analyzer 2.1.

As Microsoft describes this tool (taken directly from the related website):

‘…The System Center 2012 SP1 Configuration Analyzer is your first line of defense in troubleshooting issues with System Center 2012 SP1 server-side components. The System Center 2012 SP1 Configuration Analyzer is a diagnostic tool that you can use to evaluate important configuration settings for computers that are running any of the following System Center 2012 SP1 components: Operations Manager, Virtual Machine Manager (VMM), Service Manager, Orchestrator (plus Service Provider Foundation), Configuration Manager, and Data Protection Manager (DPM)

There are some things to reckon with:

  1. The tool is an add-on for Microsoft Baseline Configuration Analyzer 2.1
    Basically meaning this tool has to be installed FIRST. This tool can be found here.

  2. The download webpage states it’s version 2.0?
    Yes, that’s correct. It’s apparently the most current version (2/7/2013) and works with System Center 2012 SP1 Configuration Analyzer.

  3. First things first
    Install Microsoft Baseline Configuration Analyzer 2.0 (MBCA) afterwards System Center 2012 SP1 Configuration Analyzer. Then run MBCA > under the header Select a product select System Center 2012 SP1 Configuration Analyzer and of you go.
    image

  4. Error: Something about Credssp to be enabled on remote servers to check configurations
    Yes, the security in Windows Server 2012 is tight (don’t know whether the same issue is at play on Windows Server 2008 R2 SP1 servers) and when trying to check a remote server (the MS02) I got this error: ‘…Microsoft Baseline Configuration Analyzer 2.0 for System Center 2012 SP1 requires Credssp to be enabled on DB01 to check configurations for the module CM_CA. You must enable Credssp or run Microsoft Baseline Configuration Analyzer 2.0 from the local machine…’
    image

    Gladly, the solutions are shown as well which is a two step process:
    Step 01: Run this PS command on the server you’re running MBCA from:
    Enable-WSManCredSSP -Role Client -DelegateComputer [target machine name]
    image

    Step 02: Run this PS command on the server you’re going to scan with MBCA:
    Enable-WsManCredssp -Role Server
    image
    Now MBCA will run just fine.

    When scanning a whole set of servers it’s better to create a GPO for those servers, saves you a lot of time, also partially explained in the same error message shown by MBCA: ‘…Use gpedit.msc and look at the following policy: Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials.  Verify that it is enabled and configured with an SPN appropriate for the target computer. For example, for a target computer name "myserver.domain.com", the SPN can be one of the following: WSMAN/myserver.domain.com or WSMAN/*.domain.com. For more information, see the about_Remote_Troubleshooting Help topic…’

This tool can aid you when troubleshooting issues with your SC 2012 SP1 management servers. However, the good old Event Viewer still packs tons of solid information for troubleshooting as well. Combined they pack a lot of power.

2 comments:

Larry Rayl said...

Good post Marnix! I also blogged on the subject yesterday on my Catapult blog here: http://blogs.catapultsystems.com/lrayl/archive/2013/02/25/setting-up-and-using-the-new-system-center-2012-sp1-configuration-analyzer.aspx

Question; Looks like we had similar results with OpsMgr. Did happen to scan ConfigMgr in your environment and did you have any checks other than Cube-processing? Thanks Larry Rayl, Catapult Systems

Marnix Wolf said...

Hi Larry.

Thanks for your compliments and a good posting it is you wrote. Yes, the analyzer has some strange output. Guess the cube information is targeted at SCSM but somehow runs for SCOM as well. Also the information is limited and sometimes a bit strange. Guess remote execution policy for PS plays a role here and the analyzer itself which needs an update...

Cheers,
Marnix