Introduction
This article describes Update 2 for Windows Server Solutions Best Practices Analyzer 1.0. Update 2 adds new best practices to Windows Server Solutions Best Practices Analyzer 1.0.
Windows Server Solutions Best Practices Analyzer 1.0 (Windows Server Solutions BPA) is a diagnostic tool that is built on the Microsoft Baseline Configuration Analyzer (MBCA) technology. Windows Server Solutions BPA scans a computer that is running one of the following operating systems, and compares the existing server settings to a predefined set of recommended best practices:-
Windows Small Business Server 2011 Standard
-
Windows Small Business Server 2011 Essentials
-
Windows Storage Server 2008 R2 Essentials
-
Windows Multipoint Server 2011
Windows Server Solutions BPA performs the following tasks:
-
Collects information about a server
-
Determines whether the server settings comply with a set of best practices that are recommended by Microsoft
-
Provides a report of the scan results (the report identifies differences between the server settings and the recommended best practices)
-
Identifies conditions that may cause problems with the server
-
Recommends solutions to potential problems
More Information
Update information
How to obtain this update
To obtain this update, run Windows Server Solutions Best Practice Analyzer 1.0.
Prerequisites
To apply this update, you must be running one of the following operating systems:
-
Windows Small Business Server 2011 Standard
-
Windows Small Business Server 2011 Essentials
-
Windows Storage Server 2008 R2 Essentials
-
Windows Multipoint Server 2011 Standard
-
Windows Multipoint Server 2011 Premium
Additionally, you must have Windows Server Solutions Best Practices Analyzer 1.0 installed.
Registry information
To apply the update in this package, you do not have to make any changes to the registry.
Restart requirement
You do not have to restart the computer after you apply this update.
Update replacement information
This update replaces the following update:
2600333 An update for Windows Server Solutions Best Practices Analyzer 1.0 is available
Windows Server Solutions BPA best practices
After you install this update, the Windows Server Solutions BPA performs the following checks:
-
Checks whether the DNS Client service is configured to start automatically
-
Checks whether the DHCP Client service is configured to start automatically
-
Checks whether the IIS Admin service is configured to start automatically
-
Checks whether the World Wide Web Publishing service is configured to start automatically
-
Checks whether the Remote Registry service is configured to start automatically
-
Checks whether the Remote Desktop Gateway service is configured to start automatically
-
Checks whether the Windows Time service is configured to start automatically
-
Checks whether the Windows Update service is configured to start automatically
-
Checks whether the MSDTC service is configured to start automatically
-
Checks whether the Netlogon service is configured to start automatically
-
Checks whether the DNS Server service is configured to start automatically
-
Checks whether the Windows SBS Manager service is configured to start automatically
-
Checks whether the DNS Client service has started
-
Checks whether the Windows Update service has started
-
Checks whether the DHCP Client service has started
-
Checks whether the IIS Admin service has started
-
Checks whether the World Wide Web Publishing service has started
-
Checks whether the Remote Registry service has started
-
Checks whether the Remote Desktop Gateway service has started
-
Checks whether the Windows Time service has started
-
Checks whether the MSDTC service has started
-
Checks whether the Netlogon service has started
-
Checks whether the DNS Server service has started
-
Checks whether the Windows SBS Manager Service has started
-
Checks whether the logon account for the DNS Client service is NT AUTHORITY\\Network Service
-
Checks whether the logon account for the Windows Update service is Local System
-
Checks whether the logon account for the DHCP Client service is NT AUTHORITY\\LocalService
-
Checks whether the logon account for the IIS Admin service is Local System
-
Checks whether the logon account for the World Wide Web Publishing service is Local System
-
Checks whether the logon account for the Remote Desktop Gateway service is NT AUTHORITY\\Network Service
-
Checks whether the logon account for the Windows Time service is NT AUTHORITY\\Network Service
-
Checks whether the logon account for the MSDTC service is NT AUTHORITY\\Network Service
-
Checks whether the logon account for the Netlogon service is Local System
-
Checks whether the logon account for the DNS Server service is Local System
-
Checks whether the logon account for the Windows SBS Manager service is Local System
-
Checks which operating system you are running on the computer
-
Checks whether the server can ping the IP address of the default gateway
-
Checks whether the internal network adapter is assigned only one IP address
-
Checks whether IP filtering is disabled
-
Checks whether the Hyper-V role is not added to the Windows Small Business Server 2011 server
-
Checks whether the IPv6 protocol is enabled
-
Checks whether kernel mode authentication is disabled
-
Checks whether the Windows MultiPoint Server Host Service is configured to start automatically
-
Checks whether the logon account for the Windows MultiPoint Server Host Service is Local System
-
Checks whether the Remote Desktop Services service has started
-
Checks whether the Windows MultiPoint Server Host Service has started
-
Checks whether the SRCShell user account exists
-
Checks whether the application pool for Remote Web Access uses the default account
-
Checks whether the application pool for Remote Web Access uses the default version of the .NET Framework
-
Checks whether the application pool for Remote Web Access uses the default Managed Pipeline Mode
-
Checks whether the application pool for Remote Web Access uses the default Bitness level
-
Checks whether the built-in Administrators group has permission to log on as a batch job
-
Checks whether Windows Firewall is turned on
-
Checks whether the DNS host (A) resource record points to a correct IP address
-
Checks whether the internal network adapter is configured to register its IP address in DNS
-
Checks whether the value of the ForwardingTimeout registry key and the value of the RecursionTimeout registry key are identical
-
Checks whether extension mechanisms for DNS (EDNS) is disabled
-
Checks whether the forward DNS zone for the Active Directory domain allows only secure dynamic updates
-
Checks whether the forward DNS zone for the _msdcs.* zone allows only secure dynamic updates
-
Checks whether Internet Explorer Enhanced Security Configuration is enabled for the Administrators group
-
Checks whether Internet Explorer Enhanced Security Configuration is enabled for the Users group
-
Checks whether Windows SBS is the Domain Naming Master
-
Checks whether Windows SBS is the Infrastructure Master
-
Checks whether Windows SBS is the Primary Domain Controller Master
-
Checks whether Windows SBS is the Relative ID (RID) Master
-
Checks whether Windows SBS is the Schema Master
-
Checks whether the source server exists in the Default-First-Site-Name
-
Checks whether the source server exists in the SBSComputers organizational unit
-
Checks whether the DNS parameter MaxCacheTTL is configured
-
Checks whether the Default Domain Policy Group Policy exists
-
Checks whether there are DNS name server (NS) resource records in the forward lookup zone
-
Checks whether there are DNS name server (NS) resource records in the _msdcs zone
-
Checks whether there are DNS name server (NS) resource records for the delegated _msdcs forward lookup zone
-
Checks whether the Authenticated Users group is a member of the Pre-Windows 2000 Compatible Access group
-
Checks whether the DNS client is configured to point only to the internal IP address of the server
-
Checks whether the value of the RootVer registry key for the .NET Framework is correct
-
Checks whether this server can ping one or more domain controllers
-
Checks whether the RDP Port has the default value
-
Checks whether the value of the SysvolReady registry key is correct
-
Checks whether the Sysvol folder is not shared
-
Checks whether one or more volumes has insufficient free space
-
Checks whether the number of Maximum Worker Processes for the DefaultAppPool application pool is configured to the default value
-
Checks whether the name of the certification authority contains invalid strings
-
Checks whether the value of the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\Machines\\OriginalMachineName registry key is correct
-
Checks whether the value of the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\100\\Machines\\OriginalMachineName registry key is correct
-
Checks whether Exchange Server 2010 Service Pack 1 (SP1) is installed
-
Checks whether Windows SBS is in a journal wrap condition
-
Checks whether Exchange Server 2010 is configured to use the default method for external authentication
-
Checks whether Exchange Server 2010 is configured to use the default method for internal authentication
-
Checks whether Windows Server 2008 R2 Service Pack 1 (SP1) is installed
-
Checks whether the Simple Mail Transfer Protocol (SMTP) service is installed
-
Checks whether there are empty Servers containers in the Exchange organization
-
Checks whether the name of the default accepted domain is correct
-
Checks whether the application pool for SharePoint uses the default account
-
Checks whether the application pool for SharePoint uses the default version of the .NET Framework
-
Checks whether the application pool for SharePoint uses the default Managed Pipeline Mode
-
Checks whether the application pool for SharePoint uses the default Bitness level
-
Checks whether the application pool for PowerShell uses the default account
-
Checks whether the application pool for PowerShell uses the default version of the .NET Framework
-
Checks whether the application pool for PowerShell uses the default Managed Pipeline Mode
-
Checks whether the application pool for PowerShell uses the default Bitness level
-
Checks whether the Active Directory Web Services is configured to the default start mode
-
Checks whether the Active Directory Web Services has started
-
Checks whether the default logon account for the Active Directory Web Services is Local System
-
Checks whether the Console.Log file is larger than 1 gigabyte (GB)
-
Checks how many checks Windows Server Solutions BPA has completed
-
Checks which version of Windows Server Solutions BPA you are running
-
Checks whether the SPSearch account is the default account for SharePoint crawling
-
Checks whether the SharePoint Central Admin application pool uses the spfarm account
-
Checks whether the username and password for the SharePoint managed accounts is valid
-
Checks whether you should use Psconfig.exe to upgrade the SharePoint databases
-
Checks whether you should use Psconfig.exe to upgrade SharePoint
-
Checks whether the RemoteAccess.log file is larger than 1 GB
-
Checks whether the POP3service.log file is larger than 1 GB
-
Checks whether the SmtpReceive log directory is larger than 1 GB
-
Checks whether the SmtpSend log directory is larger than 1 GB
-
Checks whether the log directory of the "Default Web Site" website is larger than 1 GB
-
Checks whether the log directory of the Companyweb site is larger than 1 GB
-
Checks whether the log directory of the SBS SharePoint site is larger than 1 GB
-
Checks whether the HomeMDB attribute is configured to the default value
-
Checks whether the most recent update is installed
-
Checks whether the port of the Client Access server is configured to 443
-
Checks whether the scheme of the Client Access server is configured to HTTPS
-
Checks whether the AbsolutePath value of the Client Access server is correct
-
Checks whether the host name of the Client Access server is correct
-
Checks whether the host name of the Offiline Address Book server is correct
-
Checks whether the host name of the Exchange Web Service server is correct
-
Checks whether the host name of the Autodiscover server is correct
-
Checks whether the host name for Outlook Anywhere is correct
-
Checks whether the authentication settings for Outlook Anywhere are the default settings
-
Checks whether there is binding for SSL on all IP addresses
-
Checks whether there is binding for SSL on the "Default Web Site" website
-
Checks whether the server certificate will expire within 30 days
-
Checks whether the certificate subject is correct
-
Checks whether the authentication settings for the /autodiscover virtual directory are the default settings
-
Checks whether the authentication settings for the /ews virtual directory are the default settings
-
Checks whether the authentication settings for the /OAB virtual directory are the default settings
-
Checks whether the authentication settings for the /rpc virtual directory are the default settings
-
Checks whether the SSL settings for the /RPCWithCert virtual directory are the default settings
-
Checks whether the maximum allowed content length for the /Rpc virtual directory is the default value
-
Checks whether the maximum allowed content length for the /RpcWithCert virtual directory is the default value
-
Checks whether the Path environment variable exists in the bin directory on the Exchange server
-
Checks whether the ExchangeInstallPath environment variable exists
-
Checks whether user accounts have duplicate CN names
-
Checks whether a different website conflicts with the "Default Web Site" website
-
Checks whether an MMS Update is installed
-
Checks whether a recommended update that is described in Knowledge Base article 2524478 is installed
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates