How to use Best Practices Analyzer

Is your DNS not resolving names? DHCP not giving addresses? Active Directory not adding new users? Whether you’re an experienced server admin or just getting your feet wet, we can all use someone to check over our configurations when we run into a wall. Best Practices Analyzer (BPA) is the tool Microsoft provides to be that check. Best Practices Analyzer scans one or multiple roles on your server to check your server configuration against the guidelines that are considered, under typical circumstances, the ideal way to setup your server by experts. It is an easy quick way to troubleshoot and identify configurations that could cause problems in the future.

The guidelines checked are:


Security rules checks a role’s relative risk for exposure to threats i.e. malicious users or theft of confidential data. This one is first for a reason. Security is always of the utmost importance.


Performance rules measure a role’s ability to process requests and perform its duties within an acceptable period of time.


Configuration rules are applied to identify role settings that might require modification for the role to perform optimally. Configuration rules can identify settings that can result in error messages or generally prevent the role from doing its job.


Policy rules identify Group Policy or Windows Registry settings that might require modification for a role to operate optimally and securely.


Operation rules are applied to identify possible failures of a role to perform prescribed tasks in the enterprise.


Pre-deployment rules are applied before an installed role is deployed in the enterprise. They let administrators evaluate whether best practices were satisfied before the role is used in production.


Post-deployment rules are applied after all required services have started for a role, and after the role is running in the enterprise.

BPA Prerequisites

BPA Prerequisite rules explain configuration settings, policy settings, and features that are required for a role before BPA can apply specific rules from other categories. A prerequisite in scan results indicates that an incorrect setting, a missing program, an incorrectly enabled or disabled policy, a registry key setting, or other configuration has prevented BPA from applying one or more rules during a scan. A prerequisite result does not imply compliance or noncompliance of Best Practices. It means that a rule could not be applied, and is not therefore part of the scan results.

So, now, let’s run BPA.

To run BPA, open Server Manager then in the navigation pane open a role or group page. Next on the Tasks menu in the Best Practices Analyzer tile, click start BPA scan.

The scan results will be sorted into three different security levels:

Error results are returned when a role does not satisfy the conditions of a best practice rule, and functionality problems can be expected.

Information results are returned when a role satisfies the conditions of a best practice rule.

Warning results are returned if the results of noncompliance can cause problems if changes are not made.

You can also exclude scan results that are not relevant to your configuration by selecting and clicking Exclude. To exclude multiple results at one time, hold down the Ctrl key when you select results.

The main limitation of BPA is that it’s only checking your configuration against Microsoft best practices, which may or may not match what you’re trying to accomplish in your environment. We have all done a setup exactly from a Microsoft resource and had it not work, and you might run into the same problem using BPA. Think of BPA as an really powerful extensive ping of your network configuration. It’s a helpful tool to have in your troubleshooting arsenal, but it’s no substitute for troubleshooting experience. If the scan results do not get you on the road to solving your issue, checking documentation on Technet about the specific role or feature is always a good idea.