Microsoft's official enterprise support blog for AD DS and more
Ahoy hoy. The BPA release release cycle has just ticked over once for Windows Server 2008 R2. This means that you can now install – through Windows Update or the Download Center – add-ons that snap into Server Manager and will tell you if you are following MS best practices for your installed roles. Simply install the update, look at the role, and click “scan this role”. After some noodling, BPA will kick out info.
For example, it appears I stink at running DFSN…
But I rule at running DFSR!
Here’s what just shipped:
Download them all from here.
Read more about them all here.
You need Windows Server 2008 R2 to use any of this stuff, so add it to your list of reasons to upgrade if you haven’t already. More BPA’s coming out when they… come out. Including updates to these existing ones, in theory.
Hey Mahesh, where’s your post?
Ned “beat filecab to the punch for once” Pyle
Hi Ned
Nice to see you aren't too competitive!! :)
Any idea's when the Windows 2008 versions will be out? While I know Windows 2008 R2 is nicer/better, some of us cant upgrade just yet.
Cheers
David
A bit. :-)
The whole built-in Windows BPA framework only exists in Win2008 R2. It's a new feature. I doubt we'd ever make a version for 2008, it would canibalize business.
Very cool. No love for AD itself? A built-in ADST like the one that came with ADRAPs would be sah-weeeet.
There is an AD one in there already - it has 38 checks. Just open servermanager on any R2 DC and click "active directory domain services" - it's down a ways.
It's nowhere as good as an ADRAP though! :-D
Ned
I am getting errors when trying to run BPA with an execution policy defined via GPO. Our policy is defined as RemoteSigned and all my searching comes up that this is the correct setting for BPA, but I can't find anyone who says anything about it being set with a GPO. I've tested with the IIS and File Services BPAs and get the same error with both. Is this a bug or am I doing something wrong?
Please provide detail around your repro steps and settings - step by step.
Also provide what you are referencing that states this is correct. We've not been asked about this before, so I don't know yet what expected behavior will be or what would need to be set.
Here are some links that reference setting the execution policy to remotesigned:
http://social.technet.microsoft.com/Forums/en/SCMDM/thread/540172c2-0f43-48c5-9e38-31002778c886
http://mobilitydojo.net/2008/09/22/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-1/
Steps to reproduce (R2 with IIS or File Services role):
> set-executionpolicy remotesigned
> get-executionpolicy -list
MachinePolicy = Undefined
UserPolicy = Undefined
Process = Undefined
CurrentUser = Undefined
LocalMachine = RemoteSigned
Run IIS or File Services BPA, this works.
Open Local Policy Editor, browse to Local Computer Policy> Computer Configuration> Administrative Templates> Windows Components> Windows Powershell. Enable "Turn on Script Execution" and set the policy to "Allow local scripts and remote signed scripts".
MachinePolicy = RemoteSigned
Run IIS or File Services BPA, this fails with:
There has been a Best Practice Analyzer engine error for Model ID:'Microsoft/Windows/FileServices' during execution of the Model. (Inner Exception: One or more model documents are invalid: {0} Discovery exception occurred proccessing file '{0}'.
Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due ot the override, your shell will retain its current effective execution policy of "RemoteSigned".
Now that's something I can work with. :) I'll get a local repro here when I have a chance and see what's what.
Yeah, I have a local repro. I'll see what I can do about this from our end. If you have a Premier contract please email your TAM to contact me about this.
Anything new on the problem with BPA and remotesigned execution policy via GPO?
FYI setting your ExecutionPolicy via GPO also causes issues with Exchange 2010, some of the installers break (support.microsoft.com/.../981474). I just gave up and switched to a Group Policy Preference that sets the LocalMachine ExecutionPolicy (as opposed to the MachinePolicy). I have a blog post detailing the steps I used: blog.whatsupduck.net/.../issues-with-configuring-powershell.html