Cluster Check Tool
In this blog, I present you a new tool for checking your existing Windows Server Failover Cluster setup, with or without SAP resources: The Cluster Check Tool.
The Cluster Check Tool collects configuration and logging data from your Windows Server Failover Cluster. Based on the collected information, the Cluster Check Tool validates your configuration and checks for common misconfigurations, for example:
- Cluster specific: Quorum configuration, Properties for Resource Groups and Resources, Resource Group Dependencies
- Cluster Nodes: Operating System Version, Version of SAPRC.dll, Windows Service Startup types, Permissions for file System objects and network share
- Network configuration: Forward/Backward Name Resolution of IP Addresses and Hostnames
Disclaimer: This tool is not part of the SAP Products and thus not officially supported by SAP. It was designed to help our customers and supporters to identify potential misconfigurations. Use it at your own risk.
Get and run the Cluster Check Tool
Get the latest version
You can find the latest version of the Cluster Check Tool attached to SAP Note 2624843 – How to check a Windows Failover Cluster configuration?
The version history of the Cluster Check Tool can be found at the end of this blog post.
For more details about how to upgrade the .NET Framework and the WMF, see:
- .NET Framework – System requirements: https://docs.microsoft.com/en-us/dotnet/framework/get-started/system-requirements
- .NET Framework – Installation guide: https://docs.microsoft.com/en-us/dotnet/framework/install/
- .NET Framework – Download: https://dotnet.microsoft.com/en-us/download
- Install and Configure WMF 5.1: https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/wmf/setup/install-configure?view=powershell-5.1
Every node of the Cluster must fulfill the following system requirements:
- Windows Server 2008 R2 or later, x64 only
- .NET Framework 4.5.2 or later on the cluster node which is used to start the Cluster Check Tool
- The Windows Feature “.NET Framework 3.5 (includes .NET 2.0 and 3.0)” or “.NET Framework 4.x”
- You can use the following PowerShell command to check the installation state of this Windows Features:
- .NET Framework 3.5: Get-WindowsFeature -Name NET-Framework-Core
- .NET Framework 4.x: Get-WindowsFeature -Name NET-Framework-45-Core
- You can use the following PowerShell command to check the installation state of this Windows Features:
- Windows Management Framework 3.0 or later. You can get the Windows Management Framework 3.0 using the link https://www.microsoft.com/en-us/download/details.aspx?id=34595
- PowerShell 3.0 or later.
- PowerShell Remoting must be enabled
- The user used to run the Cluster Check Tool must be at least a member of the Active Directory group “Domain Users” and member of the local “Administrators” group on each node of the cluster.
- Disk space: The required disks space mainly depends on the size of the created cluster logs and the size of the work folders of your SAP installation. Depending on the number of cluster nodes, the size of each cluster log file and the size of you SAP systems work folders, the size of the collected data can exceed several Gigabytes!
Note: If the Cluster Check Tool is executed on a system which is not member of a Windows Server Failover Cluster, all cluster related checks will be skipped. There are also some checks which return false warnings if the Cluster Check Tool is not run on a cluster node!
Running the Cluster Check Tool
Beforehand: It is not necessary to run the Cluster Check Tool on more than one node of the cluster.
Extract the archive to a local directory on one node of the cluster, for example C:\Cluster Check Tool.
Open an elevated PowerShell, navigate to the directory containing the Cluster Check Tool and run the PowerShell script Run-ClusterCheckTool.ps1:
cd "C:\Cluster Check Tool" .\Run-ClusterCheckTool.ps1
Please note: The Cluster Check Tool runs some prerequisite checks on the local system before starting the data collection on the cluster. If one of the prerequisite checks fails the execution will be canceled and the prerequisite check results will be displayed. You can rerun the tool after you have fixed the reported issues.
If you have troubles using the Run-ClusterCheckTool.ps1 PowerShell script, you can run the Cluster Check Tool directly from an administrative (!) command prompt. Please do not forget to specify the -outdir parameter when calling ClusterCheckTool.exe (this is the location to which the Cluster Check Tool will write the collected data and the created archive file).
cd "C:\Cluster Check Tool" .\ClusterCheckTool.exe -outdir "c:\temp\cct"
Wait until the Cluster Check Tool has collected all required information from your cluster. This may take some minutes depending on the performance of your cluster nodes. After the cluster check tool completed his work successfully, the report is opened automatically.
You should find a ClusterReport_<Timestamp> directory in the directory where the Run-ClusterCheckTool.ps1 is located. This directory contains all data that was collected by the Cluster Check Tool:
- ClusterKeyExport.reg: An export of the registry HKLM\Cluster
- Logs: This directory contains the cluster log files
- This directory contains one subdirectory <clusternodename> for each node storing the collected data
- This directory contains one subdirectory <SID> for each detected SAP System storing the collected data
- The Cluster Check Report
- The results of the prerequisite checks
The ZIP-Archive ClusterReport_<Timestamp>.zip is a compressed version of the ClusterReport_<Timestamp> directory. For example, you can attach this archive file to your incidents to provide us additional information about your cluster environment.
How it works
First, the Cluster Check Tool runs a set of prerequisite checks to ensure that it can collect the required data (Step 1). These also includes the check for the system requirements.
If the prerequisite checks passed successfully, the Cluster Check Tool collects information from the Windows Server Failover Cluster (Step 2): The resource groups, resources, and nodes of the cluster and some properties for each of these objects.
For each cluster node detected in step 2, detailed system information is queried mainly using WMI and Remote PowerShell calls (Step 3).
Based on the data from Step 2 and Step 3, the Cluster Check Tool detects the running SAP Systems and collects relevant information for each of these SAP Systems.
Windows Defender – User and Group membership reconnaissance (SAMR)
The CCT collects necessary user and group information for all relevant accounts on the analyzed cluster nodes. This user and groups queries are processed by the Windows Domain Controllers of the AD. Depending on the configuration of Windows Defender for Identity, this may trigger a “User and Group membership reconnaissance (SAMR) event” (https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021).
This event (triggered by running the CCT) can be safely ignored.
The latest version is 184.108.40.206.
Version 220.127.116.11 (July 28th, 2022)
- Added validation for page files
- Updated validation of Memory Compression settings and validation for SAPMNT permissions
Version 18.104.22.168 (June 29th, 2022)
- Added query of WMI class MSFT_MpComputerStatus and MSFT_MpPreference
Version 22.214.171.124 (April 5th, 2022)
- Removed support for Windows Server 2008 SP2
- Added check for SAPMNT permissions
- Added process list output for each cluster node.
- Added export of Windows Event Logs Microsoft-Windows-SMBClient/* and
- Fixed SMD detection
- Fixed validation of cluster permissions
- Added check for Netlogon values SiteName and DynamicSiteName
- Enabled NetBIOS over TCP/IP check for VMs running on Azure
- Added output of basic process tree for each cluster node
- Added basic detection of clustered ASCS with Webdispatcher
Version 126.96.36.199 (December 2nd, 2022)
- Changed severity for wrong Windows Service startup type from Warning to Failure.
- Added check for the Cluster Hang Recovery Action
Version 188.8.131.52 (November 8th, 2022)
- Added export of ACLs for saprc.dll ping files
- Fixed loading of SAP profile files
Version 184.108.40.206 (August 19th, 2022)
- Raised required .NET Framework Version to 4.8
- Added check of data type for environment variable COMSPEC
- Added check for failover threshold and failover period settings of SAP resource groups.
- Added check for the number of possible owners for each SAP Cluster Resource
- Added check for env. variable SAP_NI_CACHE_DISABLED for Geo Clusters
- Added export of cluster parameters for all cluster resources
- Added output and validation for command bcdedit.exe
- Added output of raw service recovery settings to report file (sc qfailure <ServiceName>)
- Fixed handing of full-qualified hostname for CNN
- Fixed reference to SAP Note 3137687
Version 0.1.0.66 (January 8th, 2022)
- Fixed processing of Windows Service Recovery Actions
- Fixed detection of SAP ASCS Cluster Groups
- Added check if DNS Cache is disabled
Version 0.1.0.62 (January 7th, 2022)
- Added check for IPv6 protocol for each enabled network adapter
- Fixed copying of logfiles from the (A)SCS work folder
- Added check for “Enable Page Heap”
Version 0.1.0.58 (November 8th, 2021)
- Updated list of supported Cloud Providers
- Added querying of some Local Security Policy settings (User Rights Assignment)
Version 0.1.0.56 (August 9th, 2021)
- Added status check of SMB Signing for LanmanWorkStation and LanmanServer
- Added support for file share clusters
- Added querying and display of network adapter RDMA settings
- Added command ‘route print’
- Added support for profile files with prefix DVEBMSG, SMD and SMDA and ignoring DEFAULT.<NUMBER>.PFL files
- Fixed detection of cluster type for Windows Server 2012 and earlier
- Fixed check for registry value ‘DisableCARetryOnInitialConnect’: Different error messages if registry value does not exists or value is not set to 1.
Version 0.1.0.50 (January 21, 2021)
- Added parameter (-skipEventLogExport) to disable the export of the Windows Event Logs Application and System.
- Added output of Cluster Networks and Cluster Network Interfaces
- Added detection of multiple IP Address resources for SAP <SID> Cluster Groups
- Added detection of cluster nodes that are distributed over distinct subnets
- Fixed parsing of file system and network share ACLs
- Added detection of commonly used Antivirus and other security software based on the
detected Windows Services
Version 0.1.0.45 (November 18, 2020)
- Added cloud provider detection.
Version 0.1.0.44 (October 09, 2020)
- Added parameter (-skipDADetection) to disable the automatic detection of Diagnostic Agent
- Fixed parsing of file information for old versions (< 220.127.116.11) of saprc.dll.
Version 0.1.0.42 (August 18, 2020)
- Fixed problems when calling PowerShell scripts on remote hosts
- Added additional informations to selected validation messages.
Version 0.1.0.40 (July 16, 2020)
- Added new command line arguments to ClusterCheckTool.exe:
- -local: Run cluster checks only on localhost
- -noWinRM: Run cluster checks without using WinRM (see also the additional PowerShell-Script Run-ClusterCheckTool-NoWinRM.ps1)
- Added check for High-Paging Hotfix (See SAP Note 2553235)
Version 0.1.0.33 (March 04, 2020)
- Added warning message if SAPRC.dll is missing on all cluster nodes.
- Added collection of additional, node specfic data:
- Content of the file %windir%\System32\drivers\etc\services
- Output of the commands:
- fltmc instances
- ipconfig /all
Version 0.1.0.28 (November 11, 2019)
- Added check for data type of registry value DisableCARetryOnInitialConnect. Expected type: DWord
- Added check for Windows Services of NEC Express Cluster
- Added check for the total count of running clustered SAP Windows Services on all nodes
- Added display of the property “Failback Type” for Cluster Groups
- Added exceptions for Well-Know SIDs within Cluster Permissions check
- Fixed check of “NetBIOS over TCP/IP” status for disabled network adapters and network adapters with not assigned IP addresses
- Fixed issues accessing protected registry keys (e.g. services for Anti Virus software)
- Fixed query for latest SAPRC.dll file version
- Fixed some issues if running on a cluster with IPv4 and IPv6 addresses
- Recovery action of windows services was not read correctly
Version 0.1.0.13 (September 13, 2018)
- Added basic support for ENSA2 configuration
- Fixed validation of Windows Services for Clustered SAP instances
- Added detection of Domain and Site awareness on Windows Server 2012 and later
- Fixed bug if the tool is executed on a non-cluster node
- Fixed bug in Run-ClusterCheckTool.cmd (wrong path to Run-ClusterCheckTool.ps1) if it’s executed from the Windows Explorer
Version 0.1.0.4 (28th March 2018)
- First beta Release