erver 2008 R2's Best Practices Analyzer

One of the areas of managing Windows servers that has always been a little problematical is that of discovering so-called “best practices.” One can debate the extent to which it is the operating system vendor’s responsibility to advise as to how best to use its products, but just as the manufacturer of an automobile is in a uniquely well-informed position to advise its customers as to best practices in safety and reliability and performance, so too is the OS manufacturer uniquely positioned to help customers understand the “typical best way” of operating; on the understanding that informed customers may depart from a specific “best practice” as specific needs may dictate. The need for expert guidance on best practices increases as the complexity of the tool increases; we can use a bit more advice when driving a Prius than when riding a bicycle.
Windows Server 2008 took some steps towards helping customers with best practices by increasing the default security of roles installed via Server Manager. In addition, Server Manager became more intelligent, prompting us for example to install needed subsidiary roles (“role services”) when advisable or necessary. Windows Server 2008 R2 goes further and contains something called the “Best Practices Analyzer,” which is not exactly one thing but a combination of things built around something called the BPA “engine.”
The BPA engine interfaces with administrators in several ways. You can access it through Server Manager, of course; but you can also do so via PowerShell (and thereby Server Core). Clients can access BPA through the Remote Server Administration Tools (RSAT). As Microsoft refines its best-practices “advice,” and adds topic areas (initial ones include AD, DNS, Certificate Service, and IIS), updates to the BPA system will be made available through Windows Update. You can set up proactive BPA monitoring and reporting by creating an event log subscription that gathers BPA out-of-compliance events from multiple systems, and collects them on a central computer.
The BPA is not a new idea. In fact there have been BPA’s for other Microsoft products. But given the complexity and depth of Server 2008, it will be interesting to see how effective the BPA can be. It’s a good idea, but its usefulness will ultimately come down to how much time and effort Microsoft puts into the knowledge base that drives the engine, and how accurate the detection scenarios (and resulting bits of advice) are.

Posted in: Window Server