SCCM Microsoft RAP Real-World Tips for IT Pros Configuration Manager | Endpoint Manager MEMCM? Microsoft RAP preparation for SCCM CB infrastructure was an interesting new experience for me. In this post, I will provide tips to have a successful and effective SCCM MS RAP data collection in the Real World.
I would recommend running the MS RAP for SCCM from your top most site in the hierarchy. If you have an SCCM hierarchy, then perform SCCM MS RAP from the CAS server or any device connected to the same domain. Another post about ConfigMgr SCCM Microsoft RAP Results Real-World Tips for SCCM Admins here.
What is SCCM Microsoft RAP?
RAP is Risk Assessment Program run by Microsoft premier support organization. SCCM MS RAP is specific risk assessment program to find out SCCM related issues/risks in your hierarchy or primary site.
High-level steps to complete SCCM RAP successfully
Review prerequisites on your Tools machine:-
It’s very important to understand the prerequisites of RAP Agent and to identify the machine (the tool machine) which you want to run the tool. The account which you are planning to use to run the RAP agent should have Full SCCM Admin, SQL SYS admin and Local Admin access on all SCCM site servers and site system servers.
It’s not recommended to run the RAP agent from SCCM site server (CAS or Primary). But, this is not a blocking point. You should be able to run the SCCM RAP agent from CAS or Primary server. As per Microsoft, the tool should run on any machine which is in the same domain as SCCM primary server or CAS. There is some software prerequisite also for the RAP tool. Also, it’s important to run/launch the tool with “Administrator” access. Otherwise, you may get some issues like below.
Some useful log files for the access denied errors of RAP tool – “Unable to find required information about your environment”.
C:\Users\Documents\RaaS\Logs\ and C:\Users\Documents\RaaS\Tracking\
Collect data from your SCCM environment
Collecting data is THE MOST important step in the SCCM RAP process. The collection of data is going to take 3-4 hours depending on the size of your environment. I would recommend avoiding collecting data from SCCM DPs when you have 100s of DPs.
When your remote MPs/SUPs are in a untrusted forest then, the RAP agent can’t connect to those remote SCCM site systems. You have an option to skip those remote site systems are in remote untrusted forest or DMZ.
Submit the SCCM RAP data to Microsoft Premier Services
There are two ways to submit the collected SCCM environment data from your environment to Microsoft services. You can submit the data from the Tool machine to Microsoft services, and this is the recommended method. Another way to upload the data via an offline procedure.
Take the Questionnaire about your IT environment
Taking the questionnaire as part of the RAP program is also one of the important steps. This would give a better idea of the processes, and best practices followed in your environment. Based on your answer to the RAP questionnaire, Microsoft will suggest the best practices which we need to follow for a better environment.
Quick tips on the ports and Connectivity Required for RAP Tool
1. Make sure you input the correct Target Server Name in the RAP Tool. This should be your SCCM Server – primary or CAS server.
2. Test the connectivity from the Collection Machine to the SQL Instance hosting the SCCM database: Use SQL Server Management Studio (SSMS) to connect to the SQL instance hosting the SCCM database using Windows Authentication Mode.
3. Firewall configuration (Hardware and Windows Firewalls) required between the Tool Machine and SCCM site servers (Primary or CAS)/ MPs/SUPs/DPs :-
Port + Protocol Notes
TCP 135 RPC Endpoint Mapper
TCP 1024—65535 Dynamic Ports used by RPC/DCOM/WMI
TCP 139 NetBIOS session service /SMB
TCP 445 SMB over sockets/TCP
TCP 1433 Default SQL Instance Port (if you have a custom port, please make a rule for it)
UDP 137 NetBIOS name service
UDP 138 NetBIOS
UDP 1434 SQL Browser
4. Check and make sure that there are no third-party firewall software installed, or antivirus software with built-in firewall functionality. You will need to disable the antivirus software.
RAP as a Service Documentation – PDF Datasheet and Prerequisites for SCCM RAP – here
RAP as a Service (RaaS) from Microsoft Services Premier Support – Here