Windows Server Solutions BPA Updated September 2011

[Today's post comes to us courtesy of David Copeland from Commercial Technical Support]

The September update for the WSSG BPA has now been released, adding 59 new rules.  Currently the total number of checks per SKU breaks down as (total of 107 total rules)

Small Business Server 2011 Standard Edition 102

Small Business Server 2011 Essentials 78 Windows Storage Server 2008 R2 Essentials 30 Windows MultiPoint Server 2011 5

You will be notified of the update in a couple of places.  If you have chosen to integrate the BPA into the SBS console during installation, the BPA will have a status of critical under the Security menu.  You will see this until the update is applied:

clip_image001

You will also see that “An update for the Windows Server Solutions BPA is available” in the systray when you launch the BPA.  You need to click this notification to install the update:

clip_image002

The model for the WSSG BPA has been updated with new rules including:

Small Business Server 2011 Standard Edition

  • CACertNameCheck9Section - The name of your certification authority contains one or more periods, or includes either the word "remote" or "mail."
  • CheckOrigName9Section - The value set for the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
  • CheckOrigName10Section - The value set for the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL
  • ExchangeSPSection - The server is running the original release of Exchange Server 2010. However, Exchange Server 2010 Service Pack 1 (SP1) is now available.
  • JournalEventExist9Section - The server is in a journal wrap condition.
  • RPCExtAuthSection - Exchange Server 2010 is not set to use the default method for external authentication
  • RPCIntAuthSection - Exchange Server 2010 is not set to use the default method for internal authentication.
  • OSRTMSection - This server is running the original release of Windows Server 2008 R2. However, Service Pack 1 for Windows Server 2008 R2 is available.
  • SMTPInstalledSection - The Simple Mail Transfer Protocol (SMTP) service is installed.
  • EmptyServersContainerSection - One or more Servers containers in your Exchange organization are empty.
  • AcceptedDomainSection - The name of the default accepted domain contains one or more spaces.
  • SharepointAppPoolIdentitySection - The SBS SharePoint AppPool application pool is not running with the default account.
  • SharepointAppPoolFrameworkSection - The SBS SharePoint AppPool application pool is not running with the default .NET Framework version.
  • SharepointAppPoolPipelineSection - The SBS SharePoint AppPool application pool is not running with the default Managed Pipeline Mode.
  • SharepointAppPoolBitnessSection - The SBS SharePoint AppPool application pool is not running with the default Bitness level.
  • RWAAppPoolBitnessSection - The SBS Web Workplace AppPool application pool is not running with the default Bitness level
  • RWAAppPoolPipelineSection - The SBS Web Workplace AppPool application pool is not running with the default Managed Pipeline Mode
  • RWAAppPoolFrameworkSection - The SBS Web Workplace AppPool application pool is not running with the default .NET Framework version.
  • RWAAppPoolIdentitySection - The SBS Web Workplace AppPool application pool is not running with the default account.
  • WebGardensSection - The number of Maximum Worker Processes for the DefaultAppPool Application Pool is not set to the default value of 1.
  • WarningDiskSpaceVeryLowSection - One or more volumes has less than 20% of free space available.
  • SysvolSection - The Sysvol share does not exist
  • RDPPortSection - The PortNumber registry key for the Terminal Server port has been changed.
  • SysvolRdySection - The value of the SysvolReady registry key is not equal to 1. This indicates that there is a problem with the domain.
  • PingDCFailsSection - This server cannot ping one or more domain controllers.
  • OldRootVerSection - The value of the RootVer registry key for .NET Framework may be incorrect.
  • NotSchemaMasterSection - This server running Windows SBS is not the Schema Master.
  • NotSBSDNSSection - The DNS client is not configured to point only to the internal IP address of the server.
  • NotRIDMasterSection - This server running Windows SBS is not the RID Master.
  • NotPreWin2Section - The Authenticated Users group is not a member of the Pre-Windows 2000 Compatible Access group.
  • NotPDCMasterSection - This server running Windows SBS is not the Primary Domain Controller Master.
  • NotInfraMasterSection - This server running Windows SBS is not the Infrastructure Master.
  • NotDomMasterSection - This server running Windows SBS is not the Domain Naming Master.
  • NoNSRecs3Section - There are no DNS name server (NS) resource records for the delegated _msdcs forward lookup zone.
  • NoNSRecs2Section - There are no DNS name server (NS) resource records in the _msdcs zone for Windows SBS 2011 (for example: _msdcs.contoso.local).
  • NoNSRecsSection - There are no DNS name server (NS) resource records in the forward lookup zone for Windows SBS 2011.
  • NoDefaultDomainPolicySection - The Default Domain Policy group policy is missing.
  • MaxCacheTTLSection - The DNS parameter MaxCacheTTL is not set.
  • LeftSrcSvrinOUSection - The Source Server that is running Windows SBS still exists in Active Directory Users and Computers in the MyBusiness/Computers/SBSComputers organizational unit.
  • LeftSrcSvrSection - The source server that is running Windows SBS still exists in Active Directory Sites and Services in the Default-First-Site-Name.
  • IsSchemaMasterSection - This server running Windows SBS is the Schema Master.
  • IsRIDMasterSection - This server running Windows SBS is the Relative ID (RID) Master.
  • IsPDCMasterSection - This server running Windows SBS is the Primary Domain Controller Master.
  • IsInfraMasterSection - This server running Windows SBS is the Infrastructure Master.
  • IsDomMasterSection - This server running Windows SBS is the Domain Naming Master.
  • IEHardenUsersSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Users group.
  • IEHardenAdminSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Administrators group.
  • ForwardDNSAllowUpdatesMSDCSSection - You should configure the forward lookup zone for the _msdcs.* zone to allow only secure dynamic updates
  • ForwardDNSAllowUpdatesSection - You should configure the forward lookup zone to allow only secure dynamic updates.
  • EDNSEnabledSection - Some routers and firewall devices do not support EDNS. You should disable EDNS on this server. To disable EDNS, from a command prompt, type dnscmd /Config /EnableEdnsProbes 0, and then restart the DNS Server service.
  • DNSTimeOutsSection - The value of the DNS ForwardingTimeout registry key should not be the same as the value of the RecursionTimeout registry key.
  • DNSRegEnabledSection - The internal network adapter is not configured to register its IP address in DNS.
  • DNSAforInternalSection - The host (A) resource record points to an incorrect IP address.
  • CheckFirewallSection - Windows Firewall is turned on in the default installation of Windows Small Business Server.
  • CheckAdminSection - The built-in Administrators group does not have the right to log on as a batch job.
  • PowershellAppPoolBitnessSection - The MSExchangePowerShellAppPool application pool is not running with the default Bitness level
  • PowershellAppPoolPipelineSection - The MSExchangePowerShellAppPool application pool is not running with the default Managed Pipeline Mode.
  • PowershellAppPoolFrameworkSection - The MSExchangePowerShellAppPool application pool is not running with the default .NET Framework version
  • PowershellAppPoolIdentitySection - The MSExchangePowerShellAppPool application pool is not running with the default account.
  • CheckAdminSection - The built-in Administrators group does not have the right to log on as a batch job.
  • CheckFirewallSection - Windows Firewall is turned on in the default installation of Windows Small Business Server.
  • DNSAforInternalSection - The host (A) resource record points to an incorrect IP address
  • DNSRegEnabledSection - The internal network adapter is not configured to register its IP address in DNS.
  • DNSTimeOutsSection - The value of the DNS ForwardingTimeout registry key should not be the same as the value of the RecursionTimeout registry key.
  • EDNSEnabledSection - Some routers and firewall devices do not support EDNS. You should disable EDNS on this server. To disable EDNS, from a command prompt, type dnscmd /Config /EnableEdnsProbes 0, and then restart the DNS Server service.
  • ForwardDNSAllowUpdatesSection - You should configure the forward lookup zone to allow only secure dynamic updates.
  • ForwardDNSAllowUpdatesMSDCSSection - You should configure the forward lookup zone for the _msdcs.* zone to allow only secure dynamic updates.
  • IEHardenAdminSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Administrators group.
  • IEHardenUsersSection - Internet Explorer Enhanced Security Configuration (IE ESC) is currently not enabled for the Users group.
  • IsDomMasterSection - This server running Windows SBS is the Domain Naming Master.
  • IsInfraMasterSection - This server running Windows SBS is the Infrastructure Master.
  • IsRIDMasterSection - This server running Windows SBS is the Relative ID (RID) Master.
  • IsPDCMasterSection - This server running Windows SBS is the Primary Domain Controller Master.
  • IsSchemaMasterSection - This server running Windows SBS is the Schema Master.
  • LeftSrcSvrSection - The source server that is running Windows SBS still exists in Active Directory Sites and Services in the Default-First-Site-Name.
  • LeftSrcSvrinOUSection - The Source Server that is running Windows SBS still exists in Active Directory Users and Computers in the MyBusiness/Computers/SBSComputers organizational unit
  • MaxCacheTTLSection - The DNS parameter MaxCacheTTL is not set.
  • NoDefaultDomainPolicySection - The Default Domain Policy group policy is missing.
  • NoNSRecsSection - There are no DNS name server (NS) resource records in the forward lookup zone for Windows SBS 2011.
  • NoNSRecs2Section - There are no DNS name server (NS) resource records in the _msdcs zone for Windows SBS 2011 (for example: _msdcs.contoso.local).
  • NoNSRecs3Section - There are no DNS name server (NS) resource records for the delegated _msdcs forward lookup zone.
  • NotDomMasterSection - This server running Windows SBS is not the Domain Naming Master.
  • NotInfraMasterSection - This server running Windows SBS is not the Infrastructure Master.
  • NotPDCMasterSection - This server running Windows SBS is not the Primary Domain Controller Master.

Small Business Server 2011 Essentials

  • NotRIDMasterSection - This server running Windows SBS is not the RID Master.
  • NotSBSDNSSection - The DNS client is not configured to point only to the internal IP address of the server.
  • NotSchemaMasterSection - This server running Windows SBS is not the Schema Master.
  • OldRootVerSection - The value of the RootVer registry key for .NET Framework may be incorrect.
  • PingDCFailsSection - This server cannot ping one or more domain controllers.
  • RDPPortSection - The PortNumber registry key for the Terminal Server port has been changed.
  • SysvolRdySection - The value of the SysvolReady registry key is not equal to 1. This indicates that there is a problem with the domain.
  • SysvolSection - The Sysvol share does not exist
  • WarningDiskSpaceVeryLowSection - One or more volumes has less than 20% of free space available.
  • WebGardensSection - The number of Maximum Worker Processes for the DefaultAppPool Application Pool is not set to the default value of 1.
  • NotPreWin2Section - The Authenticated Users group is not a member of the Pre-Windows 2000 Compatible Access group.
  • RWAAppPoolBitnessSection - The SBS Web Workplace AppPool application pool is not running with the default Bitness level
  • RWAAppPoolPipelineSection - The SBS Web Workplace AppPool application pool is not running with the default Managed Pipeline Mode.
  • RWAAppPoolFrameworkSection - The SBS Web Workplace AppPool application pool is not running with the default .NET Framework version.
  • RWAAppPoolIdentitySection - The SBS Web Workplace AppPool application pool is not running with the default account.

Windows Storage Server 2008 R2 Essentials

  • RWAAppPoolBitnessSection - The SBS Web Workplace AppPool application pool is not running with the default Bitness level
  • RWAAppPoolPipelineSection - The SBS Web Workplace AppPool application pool is not running with the default Managed Pipeline Mode.
  • RWAAppPoolFrameworkSection - The SBS Web Workplace AppPool application pool is not running with the default .NET Framework version.
  • RWAAppPoolIdentitySection - The SBS Web Workplace AppPool application pool is not running with the default account.

Things to check if not getting the update offered:

  • You need to be opt-in for Microsoft Update:
    Launch Windows Update and select the option to check online for updates from Windows update.
    Then click the option for "Get updates for other Microsoft products" and complete the process to opt-in.

    After completing this process, it might take 10-15 minutes before the initial synchronization completes. Launch the BPA after that time and the update should be detected.

  • Verify that the following registry key is set to 1:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsServerSolutions\BPA\Update

  • Verify that you are running the Windows Server Solutions BPA and not the retired Small Business Server 2011 BPA.

Comments