TFS 2010 Team Project Security Management

January 26, 2011

Setting up security for all Team Projects on all involved TFS Components (TFS, SharePoint and SQL Reporting Services) for all individual users might be quite frustrating and error-prone from time to time.

I have seen this type of mismanagement once too many now. About time to publish some basic guidelines on how to manage Team Project security rights and permissions across all involved TFS components.

Download my recommended strategy for getting rid of the familiar red crosses in Team Explorer and manage TFS security wisely.

Download TFS2010TeamProjectSecurityManagement.pdf.

Content:

  • New Team Project
  • Group Membership for Team Project
  • What about security for SharePoint and SQL Reporting Services
  • Welcoming the TFS Administration Tool (v2.1)
  • Make use of Active Directory groups

References used in the recommendation:

A final note to conclude: the explained Team Project permission sets are not the only available permission sets in the Team Project. Read my previous blogpost on fine-grained permissions in TFS 2010 for more information.

1 Comment | Security | Tagged: | Permalink
Posted by pietergheysens

Required permission for TFS 2010 Backup Plan

January 24, 2011

While setting up a TFS Backup Plan (part of the TFS 2010 Power Tools) on a new Team Foundation Server, I ran into a security issue.

TFSBackupError

[ Grant Backup Plan Permissions ] Account tfssetup failed to create backups using path TfsBackups.

I didn’t get rid of this error after making sure that the tfssetup account had the appropriate rights on the shared network folder where the backups will be dropped.

Giving Everyone modifications rights resolved the issue immediately, but of course that’s not the solution I was looking for.

So, ProcessMonitor from SysInternals came once again to the rescue. There I found out that SQL Server (sqlsrvr.exe) was trying to access the shared network folder.

Solution: also grant modifications rights on the shared network folder to the SQLService account that’s running SQL Server.

Leave a Comment » | Installation & Configuration of TFS | Tagged: | Permalink
Posted by pietergheysens

Version Control with Team Foundation Server 2010

January 11, 2011

On February 15, I will do a Microsoft Live Webcast on “What you should know about Version Control in Team Foundation Server 2010”.

Unlike Visual SourceSafe (VSS), which relied on a file-based storage mechanism, Team Foundation version control stores all artefacts, as well as a record of all changes and current check-outs in a SQL Server database which makes it highly reliable and scalable. It supports features such as multiple simultaneous check-outs, conflict resolution, shelving and unshelving, branching and merging, and the ability to set security levels on any level of a source tree, alongside the most visible features of document versioning, locking, rollback, and atomic commits. The source control mechanism integrates with TFS Work Item Management as well. TFS administrators can enforce check-in policies that require specific requirements to have passed and individual versions of files can be assigned labels. This session is targeted towards developers who want to know all the details about the new version control features in Team Foundation Server 2010.

Read more.

Update [May 4, 2011]: recording uploaded to Channel9

Watch recording

4 Comments | Version Control | Tagged: | Permalink
Posted by pietergheysens

Timeout with TFS2010 Backup/Restore Power Tool

December 3, 2010

I peviously alread blogged about the TFS2010 Backup/Restore Power Tool, but there are still some gotchas you should be aware of.

At a customer where I made use of the TFS2010 Backup/Restore Power Tool we ran into the (known) timeout issue during a TFS Backup execution.

Active backup plan configuration: full backup each week, differential backup each day, transactional backup each 30 minutes.

The timeout (600 seconds) was caused by very big transactional log files (> 15 GB) that couldn’t be stored in time to the backup location. No matter what backup plan configuration you choose, the transactional log files of all TFS databases are continuously growing because the recovery mode of the TFS databases is set to "Full". To keep it short here, the Full recovery mode is used because it provides greater protection for data than the Simple recovery model. It relies on backing up the transaction log to provide full recoverability and to prevent work loss in the broadest range of failure scenarios. More details on SQL Server recovery modes can be found here.

As a quick fix, I changed the recovery mode of the involved databases from Full to Simple and shrunk the log files. After that I switched the recovery mode back to Full. But the issue with the growing transactional log files (+ timeout) will continue to pop up in the (near) future …

So, I was thinking about setting the recovery mode of the TFS databases to Simple permanently and switching to a nightly full backup each day. I assumed that we will always be able to do a restore to one of those full backups (maximum loss of data = 1 day) … No! Just don’t do this! The Backup/Restore Power Tool relies on SQL marked transactions to keep consistency across the TFS (and dependency products) databases. The SQL marked transaction implementation in the Backup/Restore Power Tool requires the SQL recovery mode to be set to Full. Thanks to the TFS product team for making this clear to me! Switching permanently to a Simple recovery mode could possibly result in a rollback to inconsistent TFS databases. More details on marked transactions can be found here.

A temporary solution is to manually switch to Simple recovery mode, shrink the log files and then switch back to Full recovery mode. The problem is that you would need to do this sometimes when the log files are getting "too big". A better solution might be to automate and schedule these actions for all involved TFS databases.

Here’s a sample SQL script that you might use:

ALTER DATABASE [<DatabaseName>] SET RECOVERY SIMPLE WITH NO_WAIT

USE [<DatabaseName>]

GO

DBCC SHRINKFILE (N’<DatabaseName>_log’ , 0, TRUNCATEONLY)

GO

ALTER DATABASE [<DatabaseName>] SET RECOVERY FULL WITH NO_WAIT

Timeout issues + log file sizes will be fixed in the next TFS Power Tool release (probably Q1 2011).

[Update March 13, 2011]

With the release of the new TFS Power Tools (March 2011), the timeout issue has been resolved. Note that you must not forget to disable the workaround script to shrink the logfiles.

Leave a Comment » | Installation & Configuration of TFS | Tagged: , | Permalink
Posted by pietergheysens

ALM/TFS sessions at TechEd 2010 Berlin

October 22, 2010

In less than a month I will be attending TechEd Europe in Berlin (November 8-12, 2010). I guess this must be my 6th TechEd (two times Amsterdam, two times Barcelona and now my 2nd time Berlin) and I must say that I always look forward to this conference.

In my early years I always wanted to get all the information on as many technologies as possible, but last years I really tried to focus on the ALM/TFS sessions. I don’t want to overload my agenda because I do find it interesting to also spend some time to work on things I picked up in some session instead of rushing from session to session. On the other side, this year I might have a look at some Windows Phone 7 sessions to get some phone development insights.

Of course, I also look forward to meet some people from the “Team System” product team to have some discussions on the future of ALM and Team Foundation Server. And did I mention already the usual (community) parties? If you are a Belgian TechEd attendee: don’t forget to register for the TechEd Belgian country drink.

Scheduled ALM sessions for this year:

  • Successfully Administering and Running Team Foundation Server 2010 (Neno Loje)
  • Best Practices Using Visual Studio Team Foundation Server 2010 (Neno Loje)
  • Software Testing with Visual Studio 2010: Part 1 of 2 (Brian Keller)
  • Software Testing with Visual Studio 2010: Part 1 of 2 (Brian Keller)
  • Software Testing with Visual Studio 2010: Making it real for YOU (Brian Keller)
  • Applied Software Testing with Visual Studio 2010 (Brian Keller)
  • The Busy Developer’s Guide to Team Foundation Server 2010 Version Control (Brian Randell)
  • TFS 2010: Install and Configure in 30 Minutes or Less (Brian Randell)
  • Understanding Branching and Merging in Team Foundation Server 2010 (Brian Randell)
  • Agile Development with Visual Studio 2010 and TFS 2010 (Aaron Bjork & Peter Provost)
  • Visual Studio ALM: Lessons Learned through Dogfooding (Aaron Bjork)
  • Application Lifecycle Management – Microsoft Project 2010 and Team Foundation Server 2010, Better Together (Aaron Bjork & Christophe Fiessinger)
  • Architecture Discovery with Visual Studio 2010 Ultimate (Peter Provost)
  • Visualization and Modeling in Visual Studio 2010 Ultimate (Peter Provost)

See you at TechEd Berlin in a few weeks!

Leave a Comment » | Uncategorized | Permalink
Posted by pietergheysens

TFS2010 Backup/Restore Tool

October 19, 2010

Despite there are some known issues with the first version of the TFS2010 Backup/Restore Tool, it has saved me already a lot of time during different TFS2010 assignments. Setting up manually a complete backup plan for all involved databases is not that straightforward for non-database-administrators. I also like the neat integration with the existing Team Foundation Administration Console.

Some other obstacles I encountered during the TFS2010 Backup configuration:

  • System Check failed in the readiness check
    TF255118: The Windows Management Instrumentation (WMI) interface could not be contacted on this computer

    This failure was simply fixed by restarting the Windows Management Instrumentation service.

    RestartWMI

  • Grant Backup Plan Permissions failed in the readiness check
    Account “x” failed to create backups using path \\tfs2010\Backups 2010

    This failure had nothing to do with security or permissions, but the error was simply caused by a space in the network path. The network backup path must not contain a space!

Note that you shouldn’t backup (yet) the SharePoint databases with the TFS2010 Backup/Restore Tool.

You can download the TFS2010 Backup/Restore Tool as part of the TFS2010 Power Tools (September 2010).

1 Comment | Installation & Configuration of TFS | Tagged: | Permalink
Posted by pietergheysens

TFS2010 Configuration issue in a Windows 2000 domain

October 12, 2010

I did encounter an error while configuring Team Foundation Server 2010 on a Windows Server 2008 R2 machine (64 bit) which was joined to a Windows 2000 domain.

The error came up while running the system check verification in the TFS2010 configuration wizard.

TF255435: This computer is a member of an Active Directory domain, but the domain controllers are not accessible.  Network problems might be preventing access to the domain. Verify that the network is operational, and then retry the readiness checks.  Other options include configuring Team Foundation Server specifying a local account in the custom wizard or joining the computer to a workgroup.  http://go.microsoft.com/fwlink/?LinkID=164053&clcid=0×409

Note that the link will just bring you to the microsoft.com site and won’t help you in solving the error.

I first stumbled on this MSDN forum article, but I wasn’t really confident that this “solution” would work in my situation. The new virtual machine was setup correctly in the domain from the start and wasn’t conflicting with some other machine(s).

Digging deeper in the configuration logfile gave me this:

Exception Message: The trust relationship between this workstation and the primary domain failed.
(type SystemException)

Exception Stack Trace:    at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.NTAccount.Translate(Type targetType)
   at Microsoft.TeamFoundation.Common.UserNameUtil.GetMachineAccountName(String hostName)
   at Microsoft.TeamFoundation.Admin.VerifyDomainAccess.Verify()

Together with the fact that SIDs could not be resolved correctly on this machine when editing local groups it was clear that there was something wrong with the AD communication.

Apparently there’s a known problem with the LookupAccountName function (only on Windows Server 2008 R2 computers joined to a Windows 2000 domain) to retrieve a security identifier (SID) for a domain account.

After applying the available hotfix (KB 976494), everything was working again and the system check in the TFS2010 configuration wizard succeeded without warnings. Problem solved!

Again a confirmation for me that installing/configuring Team Foundation Server in an enterprise environment is always a challenge because there are so many different platforms involved: Active Directory, Internet Information Server, SQL Server, Reporting Services, Analysis Services, SharePoint, …

Leave a Comment » | Installation & Configuration of TFS | Tagged: | Permalink
Posted by pietergheysens

Live Meeting on Visual Studio Lab Management 2010

September 5, 2010

On September 15, I will do a MSDN Live Meeting on Visual Studio Lab Management.

Register here.

Leave a Comment » | Events, Lab Management | Tagged: | Permalink
Posted by pietergheysens

Screencast Visual Studio Lab Management 2010

August 7, 2010

As announced at VSLive last week in Seattle, Visual Studio Lab Management will go RTM at the end of August 2010. On top of the general availability, the Lab Management capabilities will become available to all customers who have licenses for Visual Studio 2010 Ultimate with MSDN or Visual Studio Test Professional with MSDN. This really rocks because it means that companies won’t have to pay additional licenses (as communicated in the past) for using Lab Management if they already have one of the above products.

I did setup Visual Studio Lab Management already twice in the past and after experimenting with it for a few months I must say this product has a big future. At many customers I have seen the pain of deploying and testing applications during the development phase. Many of these pains are properly addressed with Visual Studio Lab Management 2010.

To present you a small teaser of the product features I did prepare a 20’ screencast about the build-deploy-test cycle in Visual Studio Lab Management. The screencast is available at Channel 9. Note that the sound is a bit dusty during the first two minutes.

ScreencastVSLabManagement

Summary of demo in the screencast:

The solution that’s used for the demo contains a web application project and a database project. Some automated UI tests with assertions are part of a dedicated Test Suite in a Test Plan with Microsoft Test Manager. A virtual environment has been created with 2 virtual machines (one will serve as the web server and the other will be the database server) in which a clean snapshot has been taken for deployment. The Lab Build will take the latest binaries of the solution and will deploy the web application to the web server (msdeploy) while the database project will be deployed to the database server.  After deployment the automated UI tests will run in the virtual environment.

[screencast has been recorded and edited with Camtasia Studio]

Sharing some extra links:

Leave a Comment » | Announcements & Releases, Lab Management | Tagged: | Permalink
Posted by pietergheysens

Publication of Test Results to TFS 2008

July 16, 2010

Lately I’ve been struggling with some weird behavior during a Team Build (TFS 2008). The build executed also a set of Unit Tests which passed, but during the publication step of the test results to Team Foundation Server, the operation failed time after time.

BuildFailed

PublishFailed

I couldn’t find any additional information (eventlog, TFS Log, …) about the root cause of this failure, but while limiting the test methods for the test run I bumped into a test method which name consisted of 461 characters!

Apparently there’s a hard limit of 256 characters for the test method names that are published to the TFS data warehouse.

Leave a Comment » | Team Build | Tagged: | Permalink
Posted by pietergheysens

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.