So I ran into this issue today while creating a TFS 2010 Backup Plan

by Angela 31. October 2012 13:30

So as you would expect, I as a consultant do not have god-like access to things in production like I do in the dev and test environments.  So occasionally I get tripped up on access rights, and when it comes to TFS, well, they could do a much better job of listing out all the places where you do and do not need Admin rights, sysadmin rights, farm admin rights… Well, it’s all out there between the Ranger Guidance, best practices documents, install docs and MSDN documentation but you have to do a LOT of cross referencing to get it all.  And sure, ideally anyone who is a TFS admin would be able to just ask nice and smile and get all those rights, but this is the real world and many large companies are PARANOID about handing out access like that to production.  I had to fight to get the minimal rights documented in the TFS guidance, let alone anything extra.

While upgrading TFS 2010 to 2012 at this current client, I am stopped dead in my tracks at least a few times a week, sometimes a few times a day, by “Access Denied”. My most recent one was extra tricky because it involved a Power Tool and as you know, those are often not documented very well. So, on to my story…  I was setting up a Backup Plan on TFS 2010 using the nifty Power Tools feature (see screen below) from the Admin console.  I login to the TFS application tier with my account, a TFS Admin user.  I know that my account has sysadmin rights on SQL because I am a TFS Admin, and when it comes time to providing the account to run the backup plan under I provided the TFSService account which I know has Administrator and sysadmin rights on the data tier server:


So between those two accounts I would think everything was OK. I don’t know for sure, but if the Backup Plan is running as the TFSService account the way it is setup here, well that account is king of the world so everything should “just work”. And yet:


So to hopefully make this something that comes up when someone else does a search on this message, here is what I saw - “Error    [ Backup Plan Verifications ] The current username failed to retrieve MSSQL Server service account. Please make sure you have permissions to retrieve this information.” 

WTH?! And when I opened up the error log the first error I encountered was:

TFS upgrade xp_regread() returned error 5, 'Access is denied.' xp_regread() returned error 5, 'Access is denied.' 

Again, WTH?!

So the DBA goes off and starts researching what xp_regread() does, and tried to figure out why this isn’t an issue in our dev and test environments given that everything was setup the same, and I start digging through forums.  Finally I find one sad and lonely little post on the MSDN forums related to the issue that recommends 1) logging in as a TFS Admin user (OK, I’m with you) and 2) “ensure that the user who perform this Backup Plan have required permission in SQL Server”.  Wait, what?  Be more specific please. What *ARE* the required permissions??  This happens all the time. Don’t tell me to “make sure you have appropriate permissions” without clarifying what those are. Otherwise, well, duh! I *think* I have the right permissions but clearly I am mistaken.

I dig through the Ranger Guidance which as far as I can tell is the only place this tool is documented.  It doesn’t say the person CREATING the backup plan has to be an admin on SQL, and it IMPLIES the account specified to run the job has to be an ADMINISTRATOR but only because the example specified a  Administrator account. Here, right from the guidance:


But even that doesn’t necessarily imply a SQL admin, and nowhere in the doc does it say what rights either account (logged in user or “Account”) should have. I just went back and read it AGAIN, does not say anything IRT rights of either of those users in the Guidance. I suppose if you knew what it was doing behind the scenes you could infer the rights needed from the MSDN docs (I found this later). I made an educated guess that because in dev and test I am a server Administrator on the DT, and the Backup worked just fine there, that me being a SQL Server Admin must be a requirement.  So I logged back into my production TFS AT with another account that I knew was admin on every server in the TFS implementation (I know, I know), and the backup plan was created just fine. .

Our DBA does NOT like making TFS admin accounts SQL Administrators, but if I can show him explicit rules that say YOU CANNOT DO YOUR JOB AS A TFS ADMIN WITHOUT IT, he will do it.  So please Microsoft, don’t make it so darn difficult to divine what rights all of the accounts need for the various tasks the user will do. Particularly the Power Tools which make people nervous anyway.


ALM | Application Lifecycle Management | MSDN | Team Foundation Server | TFS | TFS 2010 | TFS 2012 | TFS Administration | TFS Power Tools | TFS Rangers


Default Roles and Permissions for TFS 2012 in and Handy Dandy Spreadsheet

by Angela 23. October 2012 11:47

So we’ve already had one situation where we had to use a recover command and lost all of our permissions, roles, etc. Restoring them can be a HUGE PITA because while Microsoft was kind enough to document them, you need to cross reference two different pages to see both the default permissions themselves, and the default assignments of those permissions to TFS groups and roles. BUT you cannot easily visualize them in the format you would see them in when setting your permissions.  IOW, you are setting values in a dialog like this:


But the documentation is provided in this format:


NOT HELPFUL right? I had to search the pages by role or group, highlight where they showed up, and :: scroll, scroll, scroll:: to find all of the places where they existed to set the values. The documentation is NOT in line with the implementation. I kept thinking “if only this was in Excel, I could sort, and filter and SEARCH. There would be unicorns and rainbows!!” I searched, no one seemed to have posted a permissions matrix on-line and my buddies on the product team claimed no knowledge of one. They did say if I created one they would love to have it. And after the help they’ve given me lately, how could I say no?  Smile

I am more than a bit OCD and just sucked it up and spent the time building this in a spreadsheet format that was sortable and filterable.  It is EXPLICIT permissions only, so those listed in the two referenced source pages. So I spent about 2 hours building this, but in the long run it will save me FAR more than 2 hours. JUST LOOK!


You can access the spreadsheet here, and all sorting and filtering work: https://skydrive.live.com/redir?resid=E796C9484DF4BAA3!10019&authkey=!AJ0OZWvOhG8OjHs  Note that I separated it into 2 worksheets, Server, Collection and project level in one, and everything else in the other.  I was going to put it all into one, but there were WAY too many columns and it was hard to read. 


Again I say, you’re welcome! Please let me know if you notice anything I might have missed, I am human after all.  Since it is SkyDrive updates will be posted in real time as I fill in any gaps or make corrections. If you feel compelled to repay my kindness I love dark chocolate and gerber daisies. Consequently if you meet up with me at a user group or tech event and want to thank me, I also prefer Hendricks gin Winking smile


ALM | Application Lifecycle Management | MSDN | TFS 2012 | TFS Administration | Team Foundation Server | Visual Studio 2012


Productivity Tip for OneNote Users – To Do Items are Magical!

by Angela 19. October 2012 12:29

So if you’ve not realized it yet, my blog posts are a bit, well, all over the place.  I am actually posting this to both my tech blog AND my non-tech blog because it’s so universally handy – IMHO. Today I am talking about Office OneNote because I couldn’t do my job (or organize some of my personal life) effectively without it.

Are you still using Notepad (the app), or physical notepads, or emails, or 15 other tools to take meeting notes, manage lists, organize events? Stop it! Stop it right now!  Well, if you cannot afford Office then I get it, keep using what you’re using, but if you DO have Office already be sure to check out OneNote. There are some amazing features in there that I couldn’t live without, today I’ll be talking about just one of them. Here is a little preview of what mine looks like.


I have many Notebooks to separate the various things I need to keep track of, and many sections within those notebooks to further categorize all the things I need to keep track of. This may not seem like an impressive amount of Notebooks, but for client privacy’s sake, there are half a dozen notebooks and about 300 sections hidden in this view. I take a LOT of notes Smile  I generally end up with pages upon pages of notes like this per client that I work with, and most pages contain images of whiteboards (who needs a SmartBoard when you have a Smartphone), embedded power point presentations or Visio diagrams, links, email addresses, etc. And what is awesome is with a couple of clicks I can easily fire off the page or entire Notebook to someone else email or even have it automatically sync to a SharePoint site so I can access it from any PC as well as share it with others.

You might already know about this feature I am about to get all hot and bothered about, but I have been using OneNote for almost 10 years and I forget about it constantly – the “To Do” feature.  To Do is the focus of today because it is seriously one of my most beloved features in OneNote. You might notice that at the bottom of my page of notes above, I have a couple of To Dos for things I owe back to the customer. I often have HUGE lists of these, and if I have several meetings a day it can easily turn into a list spread across multiple sections and Notebooks! Before I followed the RTFM rule I used to preface those lists with “To Do” and then search for “To Do” to recall them to view and verify I had done it all.  If I had paid attention, I might have noticed a handy little button in the ribbon called “To Do” with a check box next to it.  How embarrassing for me.  Anytime you click that button it puts a clickable checkbox next to a To Do item that you can check in on later to verify it was done. Now you might be thinking, what good is that if I have to go back to all of my previous sections and LOOK to see if they are done? HA, me too once, and then I right-clicked a To Do item and noticed an interesting option. “Find tags”…brilliant! Sadly, when I first started using OneNote back in 2004 I totally knew about it, and just forgot at some point… I rediscovered it lately and head a ::face palm:: moment.



This brings up a VERY handy little toolbar that lists all of the To Do items in your OneNote file, filtered by scope, state, etc.  Check it out, all the way to the right I can now see all of the To Do tasks, and right now it is scoped to just this section and shows ALL tasks:


But wait…. there’s more! Check out what happens when I change the filter to the entire Notebook, and then group by section. I know, awesome right?


Notice the checkbox that can also filter out anything that has been checked, cause believe me, if I do this for my entire OneNote file there are thousands of To Do’s mostly checked. (I did work as an evangelist covering 3 stated for Microsoft for almost 6 years after all).

Here’s where I really blow your mind. Seriously, you might want to sit down. Wait you probably ARE sitting down. Whatever. What OneNote cannot do is remind you to DO those things. But Outlook can. But I am not a huge fan of having to do double entry. And then I noticed I didn’t have to. Again, just now noticed it, oy. If you are setup with Outlook, you can pretty easily get some nice integration there.  And by “nice” I mean AWESOME. Up in the ribbon bar you might notice this little cluster of goodness:


With a simple click you can also convert a OneNote To Do into an Outlook Task, and, AND you select when the task is due (today, tomorrow, next week, custom) as well as mark it complete when you are done!! 


And yes, it “just works” and updates Outlook immediately.  I checked, cause I was dubious, immediately syncs to Outlook. Mind = BLOWN.  The other two buttons are ones I use CONSTANTLY too. Email, you can guess what that does…  And the meeting button, I just noticed this TODAY. Good lord would this have been handy when I was at Microsoft sometimes having as many as 7 meetings a day.  It was there, I just didn’t see it. Hiding there, all secret up there in the toolbar. Pssht.  Anyway, this does what I have been doing manually for 5 years, like an idiot.  It imports the data about the meeting from your Outlook calendar and into the notes. No more “what were these notes for again?” BOOM!


One last thing.  Another things I just noticed today which is what prompted me to cross-post to my crafty blog. You can customize lists with specific icons and actions. Just look at this list, take into account the fact that you can create custom ones, and then go create some lists. To Do lists, book-to-read lists, movies-to-see lists, craft supply lists, lists of awesome RSS feeds to go follow, WHATEVER!


That is my lesson for today. Hope you got something out of it, and I plan to blog about a few other OneNote features that are incredibly handy, even if you don’t take notes for a living. Did I mention I do TFS implementations and software delivery process consulting for a living? I use to sling code too, it was handy then as well. And yes, I couldn’t live (happily and productively) without OneNote.


Microsoft Office | OneNote | Productivity | Outlook 2010 | Collaboration


So You Were Forced to Use the dreaded TFS Collection /Recover Command, Now What?

by Angela 11. October 2012 08:23

Since we have used Recover on a production database and lived to tell the tale I thought I would share our experiences. If you read this post you will know that one of my client’s got themselves into a world of hurt where we needed to restore a nightly backup that was not detached.  I know, I know, detached backups are the way to go.  Well, now THEY know that too Winking smile  Nonetheless, sometimes you may find yourself needing to recover a TFS Team Project Collection (TPC) database, and if you’ve read the MSDN documentation you’ll know this is not an ideal situation. The Recover command is very lossy, BUT you get your data back. And in our case it was worth the risk.

So here is the backstory…  Someone deleted a Test Plan with a month’s worth of data in it, and if you know MTM you know there is no “undelete”. Restoring a backup was our only hope. BUT our nightly backups are SQL backups of the entire SQL Server instance, so undetached (we are addressing this NOW). Plucking one TPC out of there and attaching it is just not an option. And we did not have hardware to restore the entire thing and detach it properly.  So here is what we did:

  1. Restore the backed up TPC from the nightly backup into our dev TFS environment
  2. Used the TFSConfig /Recover command, followed by TFSConfig /Attach to get it attached in dev
  3. Used the TFSConfig /Recover command to get the TPC into the proper state
  4. Detach the hosed TPC from production
  5. Restore that detached version of the TPC to production
  6. Attach the backup to production (we actually hit an interesting bug in TFS 2010 at this point, so the attach was quite harrowing and involved an emergency hotfix to our TFS sprocs, I may blog about later.)

Now, I would love to say everything was perfect but the recover command did blow away some things that we had to get back into place before people could use the TPC again.  What we lost:

  1. All the security setting ever!
    • Collection level groups and permissions
    • Team Project (TP) level groups and permissions in every TP in the TPC
    • Permissions around Areas and Iterations in every TP in the TPC
    • Permissions around Source Control in every TP in the TPC
  2. SharePoint settings  (in every TP in the TPC). Settings on the SharePoint server themselves will be fine of course but you will probably see a “TF262600: This SharePoint site was created using a site definition…” error when you try to open the portal site that was once attached to those TPs. You will need to fix this in 2 places.
    • Go to TFS Admin Console, select the TPC you just restored and make sure the SharePoint Site settings for the TPC are correct. It will probably be set to “not configured” now.
    • Open team explorer (as an Admin user), and for each TP go to “Team Project Settings | Portal Settings” and verify everything there is correct. Ours were just plain gone so we had to enable the team project portal and reconfigure the URL.
  3. SSRS Settings – this will probably be fine if you restored the database as-is but we also renamed it as part of the restore, and so had to update the Default Folder Location through the Admin Console for the TPC in order for this to work again.

So word to the wise, make sure you understand what the settings above are for all of the TPs in your TPC BEFORE you perform a Recover command because chances are you will have to manually set them all back up.


ALM | Application Lifecycle Management | MSDN | MTM | Microsoft Test Manager | Microsoft Test Professional | TFS | TFS 2010 | Team Foundation Server | VS 2010 | Visual Studio | TFS Administration


So you accidentally deleted your MTM Test Plan, Now What?

by Angela 10. October 2012 04:14

So this week, we had a little bit of fun, by which I mean a day that started with panic and scrambling when someone accidentally deleted a Test Plan (yes, a whole test plan) in MTM in production. A well established test plan with dozens of test suites and over a hundred test cases with a month’s worth of result data no less... Some important things of note:

  • test plans are not work items, they are just a “shell” and so are a bit easier to delete than they should be (in my opinion)
  • there is no super secret command-line only undelete like there is for some artifacts in TFS, so recreate from scratch or TPC recovery are your only options here to get it back
  • when you delete a test plan, you lose every test suite you had created.  Thankfully, not test cases themselves, those are safe in this situation.  Worst case, a plan can be created, although it is tedious and can be time consuming.
  • when you delete a test plan, test results associated with that test plan will be deleted*. Let that sink in – ALL OF THE TEST RESULTS FOR THAT TEST PLAN, EVER, WILL ALSO BE DELETED.  ::this is why there were flailing arms and sweaty brows when it happened::

So at this point, you may be thinking it’s time to update your resume and change your phone number, but hold up. You may have some options to recover that data, so buy some donuts for your TFS admin(I like cinnamon sugar, BTW).  I should mention, there may be a lot of other options but these are the three I was weighing, and due to some things beyond my control we had to go with #2.

1) Best Case Scenario: restore your DETACHED (this is required) team project collection database from a backup, cause you’re totally taking nightly backups and using the TFS Power Tool right? You lose a little data depending on how old that backup is, but it may be more important to get back your test runs than have to redo a few hours of work.

2) Second Best Case Scenario: If you cannot lose other data, and are willing to sacrifice some test run data, then restore the TFS instance from a traditional SQL backup to a separate TFS instance (so, NOT your production instance), open up your test plan in that secondary environment, and recreate your test plan in production.  Not ideal, but if you didn’t have a ton of test runs this may be faster and you don’t sacrifice anything in SCM or WIT that was changed since the backup was taken.

3) Worst Case Scenario: if your backups were not detached when you did your last backup, cry a little, then use the recover command to re-attach them. The gist is to use the TFSConfig Recover command on the collection to make it “attachable” again, then attach it to your collection. I have written a separate post on this because it can be complicated…

Once you are back up and running, make sure rights to managing test plans is locked down!  It might not be obvious that you can even do this, or where to find it, since it is an “Areas and Iterations” level permission. But do it, do it now!  This permission controls the ability to create and delete Test Plans, so be aware of that. But for the most part, anyone with authority and knowledge to delete entire Test Plans, considering what they contain, should be the only person creating them.  If everyone needs the ability to create/delete these willy-nilly, then you are doing it wrong, in my opinion anyway.

I am still in the midst of getting this back up and running so will update once we’re finished. There is an MSDN forum post out there regarding one bug I seem to have uncovered, if anyone wants to look at it and maybe fix my world by answering it Smile I am sure I’ll be able to add some more tips and tricks by then.

Powered by BlogEngine.NET
Original Design by Laptop Geek, Adapted by onesoft