1

How to prepare for your RAP as a Service for Team Foundation Server

The Tools machine is used to connect to each of the servers in your Team Foundation Server environ-ment such as Team Foundation Server, SQL Server, SharePoint. and retrieve configuration and health information from them. The Tools machine retrieves information from the environment communicating over Remote Procedure Call (RPC), Server Message Block (SMB), and Distributed Component Object Model (DCOM). Once data is collected, the Tools machine is used to upload the data to the Microsoft Premier Services portal for automated analysis, followed up by manual analysis by one of our expert engineers. This upload requires internet HTTPS con-nectivity to specific sites. Alternatively, you can also export the collected data from the Tools machine and use a different machine to submit it. You need to ensure the machine used to upload the data also has the RAP as a Service client tool installed and has internet connection.

At a high level, your steps to success are:

1. Install prerequisites on your Tools machine and configure your environment

2. Collect data from your environment

3. Submit the data to Microsoft Premier Services for assessment

A checklist of prerequisite actions follows. Each item links to any additional software required for the Tools machine, and detailed steps included later in this document.

Checklist

Please ensure the following items have been completed before accessing the RAP as a Service Portal for the first time and starting your engagement.

1. General Use

A Microsoft Account is required to activate and sign in to the RAP as a Service portal. If you don’t have one already, you can create one at http://login.live.com

• To learn more about Microsoft Accounts, see: http://windows.microsoft.com/en-US/windows-live/sign-in-what-is-microsoft-account

Last modified: Oct 12, 2017

RAP as a Service for Team Foundation Server

Internet connectivity is

needed to:

Access the RAP as a

Service portal.

Activate your

account.

Download the

toolset.

Submit data.

Data submission to

Microsoft online servers

and displaying your

results on the online

portal uses encryption

to help protect your

data. Your data is

analyzed using our

RAP expert system.

Prerequisites

Download the latest prerequisites from:

http://www.microsoft.com/en-us/download/details.aspx?id=34698

2

Ensure access to https://services.premier.microsoft.com

Ensure the Internet browser on the data collection machine has JavaScript enabled. Follow the steps listed at How to enable scripting in your browser. Internet Explorer 9, Internet Explorer 10 and Internet Explorer 11 are the supported and recommended browsers for this offering. Most other modern HTML5 based browsers will also work.

The site https://ppas.uservoice.com provides access to the Support Forum and Knowledge Base Articles for RAP as a

Service

2. Activation

Ensure access to http://corp.sts.microsoft.com

Ensure access to http://live.com

3. Data Collection

a. Tools machine hardware and Operating System:

Server-class or high-end workstation machine running Windows Server 2016/Windows Server 2012 R2/Windows Server 2012/Windows Server 2008 R2/Windows Server 2008 or Windows 10/Windows 8/Windows7

Note: Windows Server 2003 is not supported as Tools machines.

Minimum: 4GB RAM, 2Ghz dual-core processor, 5 GB of free disk space plus up to 500MB per analyzed server and 1-5GB per web server in the assessed environment during data collection.

Joined to the same domain as the environment servers or a trusted domain.

b. Software for Tools machine:

Microsoft .NET Framework 4.0 installed

Windows PowerShell 3.0 or later installed

Log Parser 2.2 installed

Team Explorer 2012 or standalone TFS 2012 OM Installer

c. Account Rights:

Administrator access to all servers to be assessed in Team Foundation Server environment

Administrator role in all products that make up Team Foundation Environment to be assessed such as Team

Foundation Server, SharePoint, SQL Server, SQL Reporting Services, etc.

d. Additional Requirements for Windows Server 2008 (and later) servers:

Configure all server firewalls for “Remote Event Log Management”

The Appendix Data Collection Methods details the methods used to collect data.

4. Submission

Internet connectivity is required to submit the collected data to Microsoft.

Ensure access to *.accesscontrol.windows.net this URL is used to authenticate the data submission before accepting it.

The rest of this document contains detailed information on the steps discussed above.

Once you have completed these prerequisites, you are ready to use the RAP as a Service Portal to begin your assessment.

3

1. Hardware and Software

Server-class or high-end workstation computer equipped with the following:

Minimum single 2Ghz processor — Recommended dual-core/multi-core 2Ghz or higher processors.

Minimum 4 GB RAM—Recommended 8 GB RAM.

Minimum 5 GB of free disk space plus up to 500MB per analyzed server and 1-5GB per web server in the assessed environment during data collection.

Windows Server 2016/Windows Server 2012 R2/Windows Server 2012/Windows Server 2008 R2/Windows Server 2008 or Windows 10/Windows 8/Windows 7. Windows Server 2003 is not supported as a data collection machine.

Note: To successfully gather Performance data, ensure the data collection machine’s Operating System (OS) matches, or is a higher version of the highest versioned OS target machine used within the environment. Typically, this means that Windows 10 or Windows Server 2016 is acceptable to use.

Can be 32-bit or 64-bit operating system.

At least a 1024x768 screen resolution (higher preferred).

A member of the same domain as the servers being reviewed or a member of a trusted domain.

Microsoft® .NET Framework 4.0 — http://www.microsoft.com/en-us/download/details.aspx?id=17851

Windows PowerShell 3.0 or higher

Windows PowerShell 3.0 is part of the Windows Management Framework — https://www.microsoft.com/download/details.aspx?id=34595

The execution policy for PowerShell should be set to remotesigned on the tools machine

The execution policy settings can be verified using “get-executionpolicy –list” in a PowerShell command window

Log Parser 2.2 installed

IIS 7.0 - optional

Team Explorer 2012 or standalone TFS 2012 OM Installer

Networked “Documents” or redirected “Documents” folders are not supported. Local “Documents” folder on the data collection machine is required.

2. Accounts Rights

A domain account with the following:

Local administrator permission on all servers to be assessed.

Machine Requirements and Account Rights

4

Sysadmin on all SQL Instances that host Team Foundation Server databases.

System administrator of Analysis Services instances where Team Foundation

Server warehouse is located.

SharePoint Farm administrator and Site Collection administrator for the

SharePoint Farm where Team Project portals are running.

System administration and Home folder Content Manager of Reporting

Services instance where Team Foundation Server reports are located.

Team Foundation Server Administrator.

Ability to run PowerShell scripts on the machine running the RAP as a Service Client. The Windows PowerShell execution policy must be set to RemoteSigned or a policy that provides an equivalent ability to run local scripts — http://technet.microsoft.com/library/hh847748.aspx

NOTE: Usually the account used to install the Team Foundation Server environ-ment (often called TFSSetup) has these permissions. However, sometimes these permissions may have been revoked after the installation. Verification of permis-sions is still needed even if the account used during Team Foundation Installation is used.

WARNING: Failure to provide the required permissions can prevent collection of data needed for proper analysis.

WARNING: Do not use the “Run As” feature to start the client toolset as the dis-covery process and collectors might fail. The account starting the client toolset must logon to the local machine.

A Microsoft Account for each user account to logon to the Premier Proactive Assessment Services portal (https://services.premier.microsoft.com). This is the RAP as a Service portal where you will activate your access token, download the toolset and fill out the operational survey. This is also the URL that hosts the web service that coordinates the data submission

If you don’t have one, you can create one at http://login.live.com.

Contact your TAM if the token in your Welcome Email has expired or can no longer be activated. Tokens expire after ten days. Your TAM can provide new activation tokens for additional people.

3. Network and Remote Access

Ensure that the browser on the Tools machine or the machine from where you activate, download and submit data has JavaScript enabled. Follow the steps listed at How to enable scripting in your browser.

Internet Explorer is the recommended browser for a better experience with the portal. Ensure Internet Explorer Enhanced Security Configuration (ESC) is not blocking JavaScript on sites. A workaround would be to temporary disable Internet Explorer ESC when accessing the https://services.premier.microsoft.com portal.

Unrestricted network access from the Tools machine to all servers.

• This means access through any firewalls and router ACLs that might be lim-iting traffic to any of the servers. This

Internet connectivity is

needed in order to complete

this RAP as a Service offering

You will require access to the following

sites and URLs:

For general use:

https://services.premier.microsoft.com

For token activation and authentication: http://corp.sts.microsoft.com.

http://live.com

For data collection:

http://go.microsoft.com

For data submission

https://services.premier.microsoft.com

https://*.windows.net

https://ajax.aspnetcdn.com

Note: Some of these URLs cannot be

opened using a web browser.

Review the article below for complete

information regarding these URLs:

https://ppas.uservoice.com/

knowledgebase/articles/120616-what-

do-i-need-to-open-in-my-firewall-proxy

-to-use

5

includes remote access to DCOM, Remote Registry service, Windows Management Instrumentation (WMI) services, and default administrative shares (C$, D$, IPC$).

• Remote WMI access must be enabled on the analyzed servers. Note that this is by default on server OS but not on client OS which is often the case for build servers. See http://msdn.microsoft.com/en-us/library/windows/desktop/aa393266(v=vs.85).aspx and http://msdn.microsoft.com/en-us/library/aa822854(VS.85).aspx for more information.

• Firewall should not block WMI on the servers or anywhere in between – for example on the servers in Windows Firewall Advanced Configuration enable this Inbound rule for domain:

Windows Management Instrumentation (WMI-In)

• Administrative shares (i.e. C$) need to be enabled on the analyzed servers for remote collection of files (configs, logs) from these servers. If this is not possible, then as a workaround the locations can be temporarily shared only to the account that is used to run the collection.

• Ensure that the machine you use to collect data has complete TCP/UDP access, including RPC access to all servers.

The tools computer should be able to resolve the TFS servers through DNS using the configured server names - should be in

the same domain or able to resolve other domain servers. As a workaround hosts file can be modified.

IIS Management Scripts and Tools feature must be installed on TFS Application Tier, TFS Proxy and SharePoint servers – this

is necessary for collection and analysis of IIS logs.

The following services must be started on the target servers:

WMI

Remote Registry service

Server service

Workstation service

File and Printer Sharing service

Automatic Updates service

Performance Logs and Alerts service

Configure the server firewall to ensure all servers running Windows Server 2008/R2 and higher have “Remote Event Log

Management” enabled: RAP as a Service Client might be unable to collect event log information from a Windows Server

2008/R2 or higher SQL Servers hosts if “Remote Event Log Management” has not been allowed. When “Remote Manage-

ment” is enabled, the rules that allow Remote Event Log Management are also enabled.

To test if the tool will be able to collect event log data from a Windows Server 2008 R2 SQL Server host you can try to

connect to the Windows Server 2008/R2 server using eventvwr.msc. If you are able to connect, collecting event log data is

possible. If the remote connection is unsuccessful you may need to enable the Windows built-in firewall to allow “Remote

Event Log Management”.

6

Configure the server firewall to ensure all servers have “Performance Logs and Alerts” enabled: RAP as a Service Client

might be unable to start performance counters collection if this rule is disabled.

Connectivity Testing

Event Log: To test if the tool will be able to collect event log data from a Windows Server 2008 R2 server, you can try

to connect to the Windows Server 2008/R2 server using eventvwr.msc. If you are able to connect, collecting event log

data is possible. If the remote connection is unsuccessful you may need to enable the Windows built-in firewall to

allow “Remote Event Log Management”.

Registry: Use regedit.exe to test remote registry connectivity to the target servers (File > Connect Network Registry).

File: Connect to the C$ and Admin$ shares on the target servers to verify file access.

7

Appendix A: RAP as a Service Client Targets Parameters

When running client toolset, you will be asked for some parameters to identify targets in your environment:

Only URL is a mandatory parameter but in some configurations you may need to provide a few more. When hovering over each

input box you will get a description tooltip but more detailed description is provided in the following table:

In most cases it is recommended to start with URL parameter and if needed build servers only and then review the details of the

discovery results. If some of the mentioned servers are missing you can provide some of the optional parameters and rerun the

discovery. Make a note of the parameters that worked for your discovery for the next assessment runs.

URL URL of your TFS Instance for example http://tfsserver:8080/tfs. This is used to connect to your TFS

and get information about the components that compose your environment - Application and

Data Tier servers, SQL Instances and databases, Team Project Collections etc.

TFS Proxy servers TFS catalog usually does not contain information about TFS proxy servers. If you want to analyze

some of your TFS proxy servers specify their names separated by semicolon.

TFS Reporting Services

Servers

The only information TFS catalog contains regarding Reporting Services configuration is the URL.

The discovery will try to find out the server by parsing this URL but if it does not work you may

provide the server name(s) explicitly through this parameter.

TFS SharePoint Servers The only information TFS catalog contains regarding SharePoint configuration is the URL. The dis-

covery will try to find out the server by parsing this url but if it does not work you may provide the

server name(s) explicitly through this parameter.

Build, Test and other

Servers

If you want to have some of your build, test or other servers assessed as well you can provide

their names separated by semicolon here. You can use wildcard * for getting all of them automati-

cally but remember the overall number of analyzed servers should not exceed the service limit see

datasheet.

Advanced Options A list of additional semicolon separated options that can impact the way how the data are collect-

ed. See the table on the next page for the list of available options.

8

In the following table you can find the list of Advanced Options that you can use to impact the data collection process:

Examples:

• Force collection of large IIS logs, analyze only 10 largest TPCs and include TFS BPA report:

IISLOSALL;TOPTPC:5;TFSBPA:\\ATServer\C$\Users\xuser\AppData\Roaming\Microsoft\TfsBpa\TfsBpa.20150101140021

9645.data.xml

• Analyze only specific TPCs, run performance collection for 1 hour and scope only to TFS entities:

TPC:DefaultCollection,Experimental,Engineering;PERF:60;SCOPETFS

IISLOGSALL IIS Logs are not collected if their size is more than 10 GB per server for the last 7 days and any

analysis based on these logs are skipped. This limit can be removed by specifying this option. Note

that transferring large files may impact the servers performance and network bandwidth.

IISLOGSSKIP Specify this option if for any reason you want to avoid collecting IIS Logs but be aware that IIS Logs

analysis will not be performed.

TOPTPC:n By default only data for the top 50 (by size and activity) Team Project Collections and their data-

bases are collected and analyzed. Moreover very small collections are skipped as well. If you want

to change the limit you can provide any number in place of n. Note that analyzing large number of

collections can collect large data.

TPC:<tpc1>,<tpc2> Similar to TOPTPC but instead of number of Team project Collections you provide list of names

that should be analyzed. The names need to be separated by comma without spaces.

PERF:n By default we run performance monitoring for 4 hours. You should not change that for the first

data collection that will be analyzed by Microsoft engineer but in future submissions you can

specify shorter interval if you do not want to wait so long. These are allowed values for n:

• 0 - performance collection will be skipped completely.

• 10 - 10 minutes. Short performance collection just for sample analysis and reporting.

• 60 - 1 hour performance collection

TFSBPA:<path> If you use TFS Best Practices Analyzer from TFS Power Tools you can have your BPA report im-

ported as well. This way BPA errors and warnings can be reviewed on the portal and will be in-

cluded in the report.

The path must point to a valid and recent TFS BPA report accessible from the tools machine by

the account running the tool. It can be a local or UNC path. Typically the report path is:

C:\Users\<user>\AppData\Roaming\Microsoft\TfsBpa\TfsBpa.<timestamp>.data.xml

BPA gives you option to export it to another location, it can be copied to the tools machine etc.

SCOPETFS The tool’s discovery process can include non-TFS web sites, SQL Instances or even servers that can

create some noise in the assessment. This option excludes these entities and focuses on analyzing

only the real TFS entities. It is not recommended for some highly distributed environments spe-

cifically SQL Server on Cluster or SQL Server AlwaysOn.

BRANCHESHISTO-

RYSKIP

If you have a large Version Control branch structure you can use this option to reduce the

data collection time by skipping branch history and pending changes for Unused branches

analysis

9

Appendix B: Data Collection Methods

RAP as a Service for Team Foundation Server uses multiple data collection methods to collect information. This section

describes the methods used to collect data from a Team Foundation Server environment. Data collection uses workflows and

collectors. The collectors are:

1. Registry Collectors

2. File Collectors

3. Event Log Collectors

4. Performance Collectors

5. SQL Collectors

6. Windows Management Instrumentation (WMI) Collectors

7. TFS Client Object Model Collectors

1. Registry Collectors

Registry keys and values are read from servers in scope of the RAP as a Service for Team Foundation Server. They include

items such as :

• TFS installation data from HKEY_LOCAL_MACHINE\Software\Microsoft\TeamFoundationServer\10.0

\InstalledComponents\Tools and HKEY_LOCAL_MACHINE\Software\Microsoft\TeamFoundationServer\11.0

\InstalledComponents\Tools

• Windows Performance counters from

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\PerfLib

• Debugger settings from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

• Operating System information from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

This allows to determine Operation System information such as Windows Server 2003, 2008 or 2012.

2. File Collectors

• IIS logs. Note that IIS logs can be quite large thus impacting the duration of data collection and network perfor-

mance in addition to requiring sufficient free disk space on the Tools machine

• IIS application host config file (ApplicationHost.config)

• HTTP sys error log files (systemroot\System32\LogFiles\HTTPERR)

• TFS release manifest file (ReleaseManifest.xml) under TFS installation directory

• Various TFS config files such as TFSJobAgent.exe.config, web.config file for TFS web access, web.config file for TFS

web services, and proxy.config file for TFS version control proxy.

• TFS logs

3. Event Log Collectors

Collects event logs from servers in scope of Team Foundation Server. We collect the last 7 days of Warnings and Errors from

the Application and System event logs.

10

4. Performance Collectors

Collects Key Performance Indicators from your Team Foundation environment. They include items such as:

• % Processor Time

• Avg. Disk sec / Read

• TFS Work Item Tracking

• TFS Version Control

• TFS Services

• TFS File Container Service

5. SQL Collectors

Database information from the SQL Servers in TFS environment. They collect data such as:

• Statistics about commands or requests processed and logged by TFS

• Various statistics and data about work item tracking, version control, team build, and test management

• TFS registry settings

• Table sizes, SQL lock and process information, file I/O, database backup information

• SharePoint and SQL Analysis Services version information

6. Windows Management Instrumentation (WMI)

WMI is used to collect various information such as:

• Disk configuration: WMI_Win32_Volume, WMI_Win32_LogicalDisk, WMI_Win32_LogicalDiskToPartition

• IIS application pool settings: IISApplicationPoolSettings

• OS hotfix and TFS patching information: Win32_QuickFixEngineering, Win32_Product, Win32_PatchPackage

7. TFS REST API and Client Object Model Collectors

Custom collectors use the Team Foundation Server REST API and client object model SDK to gather various data from the TFS

environment. Some of the data collected include:

• Build and Release Management data such as definitions, build and release status, start, finish and duration times

• TFS job data such as jobs, their status, history

• TFS security groups

• TFS event subscriptions

• Branch information from version control

• TFS Lab Management data