The Basics of Basis Administration
Best Practices for Architecture, Monitoring, Troubleshooting, and More
Panelists: Deb Donohoe and Christian Baessler, Enowa
Date: Wednesday, January 17th
Sponsor: Basis & SAP Administration 2018
Read transcript of the chat with Deb Donohoe and Christian Baessler from Syskoplan Reply (formerly Enowa) to get answers to your most pressing questions about Basis administration to ensure your SAP landscape runs smoothly and efficiently. Whether you are new to Basis administration or a more experienced administrator, this is a great opportunity to get new tips and techniques to add to your admin toolbox.
If you haven’t already, subscribe to SAPinsider Online for free today!
Bridget Kotelly: Hello, and welcome to today’s live Q&A, The Basics of Basis Administration. We’re looking forward to a lively discussion. Thanks to everyone who has submitted their questions in advance.
We’re joined for today’s event by Deb Donohoe and Christian Baessler from Enowa. Deb is a frequent speaker at SAPinsider events and will be presenting on this topic — along with a few others — at the upcoming SAPinsider Basis & SAP Administration conference, February 26–March 1, 2018, in Las Vegas. To learn more, click here.
Deb and Christian, thanks so much for taking the time out of your busy schedules to be here. I’ll turn things over to you to start taking questions.
Christian Baessler: Hello, I’m happy to answer your questions.
Deb Donohoe: Hi, I am a technology consultant with Enowa. I have been a Basis admin for 15 years and in the IT field for about 25 years. Thank you for joining us. I hope we are able to add some value to your work life.
Comment From BrianRay: When we are setting up RZ20 to email alerts using CCMS_OnAlert_Email_V2, is there a way to simulate or test generate an email to make sure the alert is set up correctly?
Christian Baessler: I understand that you want to trigger an event that should raise an alert triggering an email.
The usual test case I use to test alerting in technical monitoring/SAP Computing Center Management System (CCMS) is a one-line program “raise test_error” that can be linked to a transaction (obviously, run it only in a non-productive environment). Usually short dumps are always a metric that is getting monitored.
Comment From Mahesh: What is the difference between Primary Application Server (PAS) and central instance?
Deb Donohoe: Hi, Mahesh. Actually these are the same. The old terminology was central instance and dialog instance. The central instance is now referred to as the PAS, and the dialog instance is now referred to as the Additional Application Server (AAS).
Comment From Sudeepto: How can I troubleshoot connectivity issues within my SAP landscape and third-party systems?
Deb Donohoe: Hi, Sudeepto. Within the SAP landscape, the connections will be from a Remote Function Call (RFC), so the simplest troubleshooting method is to start with transaction code SM59 and test. Open the destination and follow the pull-down menu path Utilities menu > Test > Authorization test. This will conduct the “ping” of the connection test as well as the authorization of the account used in the RFC logon tab. If there is an error, review the message and determine if it is security (i.e., account credentials are not working) or lower level (i.e., network).
For third-party systems you can start with the SAP Gateway. All external traffic needs to go through the SAP Gateway. Use transaction code SMGW to check the status of “conversations.” You can use the trace function from the Goto menu to capture details. If the details are insufficient when displaying the log, increase the trace level and retry the communication. Then review the trace log by following menu path Goto > Trace > Gateway > Display file or Increase/Decrease Level. Remember to reduce the trace level when you are done troubleshooting.
You can troubleshoot connectivity on the operating system (OS) level with SAP’s Niping tool. This tool sends packets from one machine (user or server) to the SAP central instance and provides a status report. There are also other OS tools that can monitor network traffic to and from the server, such as Wireshark.
Comment From Sudeepto: What types of daily, monthly, and quarterly monitoring are needed to support business needs?
Deb Donohoe: Hi, Sudeepto. This is a good question. For daily monitoring, start with the status of backups, whether they are full online, deltas, and so on. Always make sure the mechanism to recover if needed is working (i.e., that you have everything necessary for a recovery). Next, check that you can log in. This sounds simple, but it is effective. It will let you know that the system is available and how it is responding for your users. Check the errors (short dumps) via transaction code ST22. Check the system log via transaction code SM21. Use transaction code SM66 to check the status of the work processes. Use transaction code SM37 to check for failed batch jobs. Check the output after executing transaction code SP01 for error status. Use transaction code SM12 to check the locks to ensure there are no old ones. Check the free space in the database (database and log files space). Check for database deadlocks and the consistency job. The database checks by the way are from DBACOCKPIT.
Monthly monitoring includes database growth and the largest tables in the database (both also are checked via DBACOCKPIT). Monthly monitoring is also a good time to reconcile user accounts for separation and review critical transaction reports, if configured (via transaction code SUIM) and not using an identity management system. Review early watch alerts from SAP Solution Manager for items that might need to be addressed. I hope you are getting the reports every week and are not having critical status reports. If that were the case, those should not wait for a monthly review.
Quarterly monitoring is a good time to review number ranges and ensure there is room available in the ranges (use transaction code SNRO and table NRIV). Check the status of OS patches if they are not done monthly. It is also a good time to perform reconciliation between users and access assigned, especially if your organization has quite a bit of intercompany transferring. Check the status of your maintenance license (SLICENSE).
Some of these may already be handled by processes in place, especially those related to user access. And many of them can be automated, and alerting can be configured.
Comment From Sudeepto: Can you provide tips on the best way to manage users and secure your system?
Deb Donohoe: Hi, Sudeepto. That is a complex topic and can take many hours to discuss. Managing users depends on the size of your user base and the complexity of your landscape. Ideally, if you have the option for an identity management system, that simplifies the work once it is configured and processes and procedures are in place. If an identity management system is not available, you can use Central User Administration even available in SAP NetWeaver 7.52.
Securing the system has multiple layers. If you are talking just from a user standpoint, the important key concept is to give user accounts access to only what they need and nothing more. And that comes down to how the roles are designed in the organization (i.e., whether segregation of duty [SoD] compliance is required and what the level of risk tolerance or risk acceptance by the organization is). Other layers of securing the systems have to do with physical location, access to the servers and the database, network access, firewalls, and so on. This area involves too much to go into detail here.
Comment From SAMIR: How can I resolve issues with the SAP GUI and maintain the SAP GUI in a complex environment?
Deb Donohoe: Hi, Samir. It depends on the issues with the SAP GUI. There is tracing functionality built in, so you can start there. You will find the trace settings in the options of the logon pad. Remember to disable the tracing once troubleshooting is completed. For maintaining, ideally you can use SAP’s front-end installer to manage the SAP GUI. The front-end installer can be configured to push updates automatically to the end-user machines when they are available. This step facilitates keeping a consistently deployed user interface in the organization. There are other desktop management tools that can be used as well with some integration, but my preference is the front-end installer.
Comment From SB: What checks and balances from a functional point of view should be considered while refreshing a landscape or building a landscape for testing?
Deb Donohoe: Hi, SB. This is a great question. First, if production is the source, always ensure any connections to the production environment are broken after the refresh or build. And if applicable, ensure that connections for the target system are enabled (i.e., QA to BW QA, or Portal QA, CRM QA, and so on). If there is any dependency or connection such as SAP Business Warehouse (SAP BW) or SAP Customer Relationship Management (SAP CRM), then those refreshes need to be coordinated so that the data does not get out of sync and make any functional testing or work difficult if not unavailable. For refreshes, try to do these as quickly as possible and ensure that environment-specific tables (users, RFC, ports, etc.) are exported and re-imported after the refresh.
Comment From Srini: Whenever a group of people reports performance issues of the system, is there any checklist that we can follow to resolve the issue? For our Basis people it is taking hours to even find the root cause, and they are trying out multiple things not knowing the root cause. The first solution they may suggest is reboot, which should be the last option.
Christian Baessler: Srini, the reboot is the classic answer. The person must have been a Windows admin for too long. Yes, some steps help to narrow down the potential root cause.
If it is a performance issue in an SAP instance (such as SAP ERP Central Component [SAP ECC]), my very first step is usually to execute transaction code SM50 to see what’s happening in the system.
The next step is to check central processing unit (CPU) utilization or random-access memory (RAM) utilization, either on an OS level (more real time), or if OS access is not available, via transaction code ST06.
After looking at the programs, you often get an idea of what’s going on.
The next step is to check if the bottleneck is potentially on the SAP level or the database level (e.g., a slow database response). This information helps you go a little further into finding the source of your system’s performance issue.
Generally, performance troubleshooting is a more complex topic, and you should have a pretty good architectural understanding along with knowledge in SAP Basis, database administration, and OS issues. Ideally, you should also have some high-level knowledge on how the hardware is set up. Some programming knowledge also helps in case the performance issue is based on poor programming (often the case when systems are older and growing in size).
In other words, there is not really one checklist on what to do for all cases that can occur. But there is definitely a check path for the initial analysis that should help you to investigate the issue in depth.
Comment From Josue: What are the basic skills needed to learn SAP Basis?
Deb Donohoe: Hi, Josue. That is a good question. Basis requires an overall understanding of information technology because you are dealing with multiple layers. There is OS, network, database, application, and presentation (user interfaces). Being able to understand those concepts and the dependencies is really important.
Comment From Carla: Hi. What is the best practice for applying Microsoft OS monthly patches on a productive SAP system? Do most companies do this monthly? Do they do them manually, or do they use some scripting tools? What are your recommendations? Thank you.
Deb Donohoe: Hi, Carla. There are multiple methods for deploying the monthly patches. There is the System Center Configuration Manager (SCCM) from Microsoft that is widely used. Using the SCCM allows you to build packages and have better control on what is deployed. Always deploy to the non-productive systems first and allow for a burn-in period (preferably two to three weeks). Then move into production. The frequency depends on the luxury of an outage since Microsoft patches require a server reboot. My main recommendation is to stay as current as possible.
Comment From Srini: How can we avoid database locking issues and update errors? Most of them happen when we move some data from other systems via Business Application Programming Interface (BAPI) calls or batch jobs using BAPI calls. Is there any checklist or best practice documentation for this issue?
Christian Baessler: Srini, first, to your update errors, we would need to know a little more about the root cause for these update errors. Is the problem with programming? Is there an issue caused by bad data or database locks?
In case of the database locks, the solution could be multiple tries. First, check if there is a lock record on the data you want to update (make sure you lock data always when updating it via z-programs).
If no lock is issued, try to post.
Obviously, it still can fail, as just in that moment another process is issuing a lock for the record you want to update. Therefore, you need to analyze the result of the update. If it’s lock related, write your program in the way that it retries x-times before giving up and raising an error.
For database locking, that cannot be fully avoided, as this is fundamental design in any multi-user database to ensure data consistency or single access during updates.
Design of any program, transaction, or process that updates data in a multi-user database, such as SAP, needs to take into consideration that an update is not successful (retries, exception handling, and so on).
From a technical site the likelihood of database or SAP system locks can be reduced with a performant system. Using a performant system lowers the time the SAP system and the database need until an update or insert request is processed and the lock record is removed.
However, using a performant system does not help when, for example, a user has a sales order open via transaction code VA02 while he or she is at lunch.
Comment From Faizal: What information will you be sharing during the conference in February? I’m trying to sell the conference to my boss, but it’s not as easy as it once was to get approvals to go unless it’s really beneficial.
Deb Donohoe: Hi, Faizal. I have three sessions scheduled as well as a meet-up time. And we will have people on-site during the entire conference to be available for any one-on-one discussions. My preconference workshop will go into the basics of how systems are set up, familiarizing terminology, where possible issues can arise and why. I also have a security session and a session on how to prepare for an upgrade and Unicode (UC) conversion as part of the path toward SAP HANA. The content is very beneficial as is the opportunity to meet and ask questions. I hope this helps you.
Comment From Carla: During monthly Microsoft patches, has anyone used scripts to stop and start the SAP system, or should this be done manually on productive systems?
Christian Baessler: Hello, Carla. You could use scripts for automating Microsoft patches and the recommended stopping and starting of the SAP system during this time.
But honestly, I don’t like that at all in an SAP environment, in particular not on a productive system. Things tend to go wrong occasionally or change during these patches, and therefore, this step is usually not fully automated.
If the question is just on scripting, a stop process of the SAP system before you actually kick off (manually) the Microsoft patches is possible. In a Unix world the start-stop process is scripted, and it can be easily done via a small bat script on Windows as well.
Comment From Josue: How can I find a solution for short dumps TSV_TNEW_PAGE_ALLOC_FAILED? I am using standard transaction code KEU5 and the latest Support Package Stack.
Deb Donohoe: Hi, Josue. Generally, this error indicates that there is too much data being selected. I would start by going back to the users and asking them how they are running it. Are they specifying the fiscal period and year or are these parameters wide open?
Comment From rudi vanstraelen: Hi, it’s the first time I have joined such a session. In case of a performance issue where should we start and eliminate causes step by step? Which level should be first? What are useful transaction codes? Thank you.
Christian Baessler: Rudi, I just answered a question from Srini around performance. In your particular case — in your first question you mentioned SAP BW being slower after the upgrade — it might apply as well. With regard to the questions you posted here, is the overall performance of the system slow? Is reporting slower than before the upgrade? Are the process chains slower than before the upgrade?
SAP BW is slightly different from a performance aspect, in particular from the expectations the user has for the system. In an SAP ECC system, the average response time is often critical (a couple of 100 milliseconds) as the users have a lot of interaction with the SAP system; however, in an SAP BW system, it is often the runtime of background jobs (job chains) or reports.
Comment From Qui Developers: We would like more recent data in the development instance. What is the best practice for achieving this goal?
Deb Donohoe: Hi, Qui. You have a couple of options. In the past, it was simply to do a client copy from production since no one wanted to ever refresh development. But a client copy may impact production performance. More often now we see companies doing a refresh (database copy) from production as long as certain steps are in place and certain criteria. So it will depend on resources available and limitations. For example, is it acceptable to have an SAP DEV instance that is as large as your PRD? Is there infrastructure available to support that.
Comment From John: We are running SAP on an iSeries using zebra printers to print barcode labels. At night, we have connection problems where it takes up to five minutes for a batch of labels to start printing. We have changed the number of spool processes to be the same as daytime settings, but we still have times where it seems that the SAP system and printers go to sleep. How can we find out what is causing this issue?
Christian Baessler: John, iSeries is obviously its own little world. However, have you narrowed down where the delays happen?
Is the spool showing up in SP01 within a normal time? How long does it take to transfer the spool request to the OS (SP01)?
The next step is to go to the spool on your print server. Are the zebras maintained on your iSeries or on a different server (Windows or Unix)? Check there how long it takes until the spool is transferred to the printer.
That should narrow down in a first step where to investigate further.
iSeries in that aspect is not different from Windows or Unix. However, the tools are different (compared with Windows or Unix) in case you use the iSeries spool.
Comment From Josue: Do you recommend Spectre and Meltdown patches? Have you seen performance issues in SAP environments?
Deb Donohoe: Hi, Josue. I am currently working with a customer on that, but it is too premature for me to have any information on performance at this time. I expect to have more information available by the time of the conference.
Comment From Josue: What about specifying fiscal period and year?
Deb Donohoe: You could check database statistics and then try to replicate in QA (is it recently refreshed?) what else is scheduled during this window that could impact retrieving the data?
Comment From saikrishna: Hi, how does Basis administration differ in SAP HANA systems compared with the legacy systems based on SAP NetWeaver?
Christian Baessler: Saikrishna, I assume you mean that SAP Business Suite is running on SAP HANA instead of on another database?
From an SAP perspective (within SAP) not much will change.
The big difference is obviously the administration around and in the database and the client installed on the SAP Primary Application Server (PAS) and other servers to connect to SAP HANA.
You need to become familiar with the concept, the tools, and the terms around SAP HANA. SAP HANA’s technical makeup and architecture still resemble a relational database, so SAP HANA is similar to your understanding of any other database.
The admin tools are actually quite nice compared with SAP’s other database (Adaptive Server Enterprise [ASE]).
For the Windows admins it is a change, as SAP HANA is running on Linux only. For many admins that is the biggest change.
Generally, I find that when you come from Oracle, the move to SAP HANA is relatively easy as you are used to commands and architectural details due to the lack of a useful graphical admin tool. SAP HANA is, in my opinion, much better, and documentation is also pretty good.
When you come from ASE, it only can get better.
When you come from Microsoft SQL Server, that might be the biggest change. It’s not as nice as the Microsoft SQL Server admin tools. But the transition is manageable (via Linux).
Comment From Eric: These days, most SAP systems are ABAP based. I’m curious about what type of Java stack administration skills you think are important to understand? Any particularly challenging areas you have come across?
Deb Donohoe: Hi, Eric. The most important aspect of the Java stack is the memory consumption and management. Java is particularly bad at cleaning up after itself, especially on Windows servers. Being able to navigate the log files and understand what those entries mean is important for troubleshooting.
Comment From Faizal: What tools can I use to pinpoint performance measurements and identify issues from the application, database, and hardware layers?
Christian Baessler: Faizal, there are many tools in the market. Some are more focused on hardware and OS performance measurement with a little insight to the SAP system; others are stronger and focus on SAP system-specific key performance indicators (KPIs).
The tool coming with your SAP license is Technical Monitoring running on SAP Solution Manager. Several users in the environment we are working with use Technical Monitoring successfully.
The performance of Technical Monitoring in SAP Solution Manager 7.01 was not as useful as it is with Solution Manager 7.1, and it became decent with SAP Solution Manager 7.2.
With Focused Insights for SAP Solution Manager (formerly Operations Control Center [OCC]) you can enable a good-looking tool for the hallway screen to see if your SAP instances are healthy (additional licensing is necessary).
Comment From: Can you provide tips on the best way to manage users and secure your system? What types of daily, monthly, and quarterly monitoring are needed to support business needs? After I execute transaction code ST02, what should I look for in performance?
Deb Donohoe: Hi. Quick checks are to see if the HitRatio percent for the buffers is in the 90s. The higher and closer to 100 percent the HitRatio is, the better. Also look at the swaps column. If there are swaps, it means that less is better; none is best.
Comment From Eric: What would you say are key things for a Basis person to understand about ABAP development to be effective?
Christian Baessler: Eric, several questions asked today are around performance. I truly think that a fundamental ABAP knowledge is needed to understand about 50 percent of the performance bottlenecks I encounter. Many of these costly bottlenecks are the result of poor programming.
So I think ABAP knowledge for a Basis admin is very helpful for performance troubleshooting. That includes obviously techniques on efficient performant programming.
Comment From Sonya: What are some of the best techniques (for non-Basis professionals) to diagnose system issues? For example, one or more users’ reports slow system response? How do you validate this? How can you measure system performance or tell that a slowdown has happened through monitoring or researching after the event?
Christian Baessler: Sonya, a few questions were around performance monitoring troubleshooting.
This is a field that needs a holistic understanding of an SAP system or landscape. It’s usually one of the more difficult tasks when performance is lacking to narrow down the root cause.
I’m sorry to say that there is not an easy checklist with possible root causes and the solution.
In another answer I briefly explained the steps to check entry points, such as SM50, ST06, CPU, and RAM, to determine if a particular type of program or transaction is slow while others are not, and so on.
Comment From Josue: Do you recommend completing a UC conversion and an SAP Enhancement Package 7 (EHP7) upgrade at the same time as an SAP HANA database migration? Or should these be done in separate projects?
Deb Donohoe: Hi, Josue. UC conversion is a prerequisite, so you can do that ahead of time. You can do the upgrade and migration at the same time. However, if your database is very large, and your downtime window is shorter, you may need to separate them.
Bridget Kotelly: Hi, everyone. That wraps up our time for today’s live Q&A. Thanks to everyone who participated for your great questions.
To learn more on this topic, and many other SAP admin topics as well, join us at Basis & SAP Administration 2018 this February 26–March 2, 2018, in Las Vegas. To find out more and to register, click here.
Deb and Christian, thanks again for joining us today for a great chat.
Panelists: Deb Donohoe and Christian Baessler, Enowa
Date: Wednesday, January 17th
Sponsor: Basis & SAP Administration 2018
Read transcript of the chat with Deb Donohoe and Christian Baessler from Enowa to get answers to your most pressing questions about Basis administration to ensure your SAP landscape runs smoothly and efficiently. Whether you are new to Basis administration or a more experienced administrator, this is a great opportunity to get new tips and techniques to add to your admin toolbox.
If you haven’t already, subscribe to SAPinsider Online for free today!
Bridget Kotelly: Hello, and welcome to today’s live Q&A, The Basics of Basis Administration. We’re looking forward to a lively discussion. Thanks to everyone who has submitted their questions in advance.
We’re joined for today’s event by Deb Donohoe and Christian Baessler from Enowa. Deb is a frequent speaker at SAPinsider events and will be presenting on this topic — along with a few others — at the upcoming SAPinsider Basis & SAP Administration conference, February 26–March 1, 2018, in Las Vegas. To learn more, click here.
Deb and Christian, thanks so much for taking the time out of your busy schedules to be here. I’ll turn things over to you to start taking questions.
Christian Baessler: Hello, I’m happy to answer your questions.
Deb Donohoe: Hi, I am a technology consultant with Enowa. I have been a Basis admin for 15 years and in the IT field for about 25 years. Thank you for joining us. I hope we are able to add some value to your work life.
Comment From BrianRay: When we are setting up RZ20 to email alerts using CCMS_OnAlert_Email_V2, is there a way to simulate or test generate an email to make sure the alert is set up correctly?
Christian Baessler: I understand that you want to trigger an event that should raise an alert triggering an email.
The usual test case I use to test alerting in technical monitoring/SAP Computing Center Management System (CCMS) is a one-line program “raise test_error” that can be linked to a transaction (obviously, run it only in a non-productive environment). Usually short dumps are always a metric that is getting monitored.
Comment From Mahesh: What is the difference between Primary Application Server (PAS) and central instance?
Deb Donohoe: Hi, Mahesh. Actually these are the same. The old terminology was central instance and dialog instance. The central instance is now referred to as the PAS, and the dialog instance is now referred to as the Additional Application Server (AAS).
Comment From Sudeepto: How can I troubleshoot connectivity issues within my SAP landscape and third-party systems?
Deb Donohoe: Hi, Sudeepto. Within the SAP landscape, the connections will be from a Remote Function Call (RFC), so the simplest troubleshooting method is to start with transaction code SM59 and test. Open the destination and follow the pull-down menu path Utilities menu > Test > Authorization test. This will conduct the “ping” of the connection test as well as the authorization of the account used in the RFC logon tab. If there is an error, review the message and determine if it is security (i.e., account credentials are not working) or lower level (i.e., network).
For third-party systems you can start with the SAP Gateway. All external traffic needs to go through the SAP Gateway. Use transaction code SMGW to check the status of “conversations.” You can use the trace function from the Goto menu to capture details. If the details are insufficient when displaying the log, increase the trace level and retry the communication. Then review the trace log by following menu path Goto > Trace > Gateway > Display file or Increase/Decrease Level. Remember to reduce the trace level when you are done troubleshooting.
You can troubleshoot connectivity on the operating system (OS) level with SAP’s Niping tool. This tool sends packets from one machine (user or server) to the SAP central instance and provides a status report. There are also other OS tools that can monitor network traffic to and from the server, such as Wireshark.
Comment From Sudeepto: What types of daily, monthly, and quarterly monitoring are needed to support business needs?
Deb Donohoe: Hi, Sudeepto. This is a good question. For daily monitoring, start with the status of backups, whether they are full online, deltas, and so on. Always make sure the mechanism to recover if needed is working (i.e., that you have everything necessary for a recovery). Next, check that you can log in. This sounds simple, but it is effective. It will let you know that the system is available and how it is responding for your users. Check the errors (short dumps) via transaction code ST22. Check the system log via transaction code SM21. Use transaction code SM66 to check the status of the work processes. Use transaction code SM37 to check for failed batch jobs. Check the output after executing transaction code SP01 for error status. Use transaction code SM12 to check the locks to ensure there are no old ones. Check the free space in the database (database and log files space). Check for database deadlocks and the consistency job. The database checks by the way are from DBACOCKPIT.
Monthly monitoring includes database growth and the largest tables in the database (both also are checked via DBACOCKPIT). Monthly monitoring is also a good time to reconcile user accounts for separation and review critical transaction reports, if configured (via transaction code SUIM) and not using an identity management system. Review early watch alerts from SAP Solution Manager for items that might need to be addressed. I hope you are getting the reports every week and are not having critical status reports. If that were the case, those should not wait for a monthly review.
Quarterly monitoring is a good time to review number ranges and ensure there is room available in the ranges (use transaction code SNRO and table NRIV). Check the status of OS patches if they are not done monthly. It is also a good time to perform reconciliation between users and access assigned, especially if your organization has quite a bit of intercompany transferring. Check the status of your maintenance license (SLICENSE).
Some of these may already be handled by processes in place, especially those related to user access. And many of them can be automated, and alerting can be configured.
Comment From Sudeepto: Can you provide tips on the best way to manage users and secure your system?
Deb Donohoe: Hi, Sudeepto. That is a complex topic and can take many hours to discuss. Managing users depends on the size of your user base and the complexity of your landscape. Ideally, if you have the option for an identity management system, that simplifies the work once it is configured and processes and procedures are in place. If an identity management system is not available, you can use Central User Administration even available in SAP NetWeaver 7.52.
Securing the system has multiple layers. If you are talking just from a user standpoint, the important key concept is to give user accounts access to only what they need and nothing more. And that comes down to how the roles are designed in the organization (i.e., whether segregation of duty [SoD] compliance is required and what the level of risk tolerance or risk acceptance by the organization is). Other layers of securing the systems have to do with physical location, access to the servers and the database, network access, firewalls, and so on. This area involves too much to go into detail here.
Comment From SAMIR: How can I resolve issues with the SAP GUI and maintain the SAP GUI in a complex environment?
Deb Donohoe: Hi, Samir. It depends on the issues with the SAP GUI. There is tracing functionality built in, so you can start there. You will find the trace settings in the options of the logon pad. Remember to disable the tracing once troubleshooting is completed. For maintaining, ideally you can use SAP’s front-end installer to manage the SAP GUI. The front-end installer can be configured to push updates automatically to the end-user machines when they are available. This step facilitates keeping a consistently deployed user interface in the organization. There are other desktop management tools that can be used as well with some integration, but my preference is the front-end installer.
Comment From SB: What checks and balances from a functional point of view should be considered while refreshing a landscape or building a landscape for testing?
Deb Donohoe: Hi, SB. This is a great question. First, if production is the source, always ensure any connections to the production environment are broken after the refresh or build. And if applicable, ensure that connections for the target system are enabled (i.e., QA to BW QA, or Portal QA, CRM QA, and so on). If there is any dependency or connection such as SAP Business Warehouse (SAP BW) or SAP Customer Relationship Management (SAP CRM), then those refreshes need to be coordinated so that the data does not get out of sync and make any functional testing or work difficult if not unavailable. For refreshes, try to do these as quickly as possible and ensure that environment-specific tables (users, RFC, ports, etc.) are exported and re-imported after the refresh.
Comment From Srini: Whenever a group of people reports performance issues of the system, is there any checklist that we can follow to resolve the issue? For our Basis people it is taking hours to even find the root cause, and they are trying out multiple things not knowing the root cause. The first solution they may suggest is reboot, which should be the last option.
Christian Baessler: Srini, the reboot is the classic answer. The person must have been a Windows admin for too long. Yes, some steps help to narrow down the potential root cause.
If it is a performance issue in an SAP instance (such as SAP ERP Central Component [SAP ECC]), my very first step is usually to execute transaction code SM50 to see what’s happening in the system.
The next step is to check central processing unit (CPU) utilization or random-access memory (RAM) utilization, either on an OS level (more real time), or if OS access is not available, via transaction code ST06.
After looking at the programs, you often get an idea of what’s going on.
The next step is to check if the bottleneck is potentially on the SAP level or the database level (e.g., a slow database response). This information helps you go a little further into finding the source of your system’s performance issue.
Generally, performance troubleshooting is a more complex topic, and you should have a pretty good architectural understanding along with knowledge in SAP Basis, database administration, and OS issues. Ideally, you should also have some high-level knowledge on how the hardware is set up. Some programming knowledge also helps in case the performance issue is based on poor programming (often the case when systems are older and growing in size).
In other words, there is not really one checklist on what to do for all cases that can occur. But there is definitely a check path for the initial analysis that should help you to investigate the issue in depth.
Comment From Josue: What are the basic skills needed to learn SAP Basis?
Deb Donohoe: Hi, Josue. That is a good question. Basis requires an overall understanding of information technology because you are dealing with multiple layers. There is OS, network, database, application, and presentation (user interfaces). Being able to understand those concepts and the dependencies is really important.
Comment From Carla: Hi. What is the best practice for applying Microsoft OS monthly patches on a productive SAP system? Do most companies do this monthly? Do they do them manually, or do they use some scripting tools? What are your recommendations? Thank you.
Deb Donohoe: Hi, Carla. There are multiple methods for deploying the monthly patches. There is the System Center Configuration Manager (SCCM) from Microsoft that is widely used. Using the SCCM allows you to build packages and have better control on what is deployed. Always deploy to the non-productive systems first and allow for a burn-in period (preferably two to three weeks). Then move into production. The frequency depends on the luxury of an outage since Microsoft patches require a server reboot. My main recommendation is to stay as current as possible.
Comment From Srini: How can we avoid database locking issues and update errors? Most of them happen when we move some data from other systems via Business Application Programming Interface (BAPI) calls or batch jobs using BAPI calls. Is there any checklist or best practice documentation for this issue?
Christian Baessler: Srini, first, to your update errors, we would need to know a little more about the root cause for these update errors. Is the problem with programming? Is there an issue caused by bad data or database locks?
In case of the database locks, the solution could be multiple tries. First, check if there is a lock record on the data you want to update (make sure you lock data always when updating it via z-programs).
If no lock is issued, try to post.
Obviously, it still can fail, as just in that moment another process is issuing a lock for the record you want to update. Therefore, you need to analyze the result of the update. If it’s lock related, write your program in the way that it retries x-times before giving up and raising an error.
For database locking, that cannot be fully avoided, as this is fundamental design in any multi-user database to ensure data consistency or single access during updates.
Design of any program, transaction, or process that updates data in a multi-user database, such as SAP, needs to take into consideration that an update is not successful (retries, exception handling, and so on).
From a technical site the likelihood of database or SAP system locks can be reduced with a performant system. Using a performant system lowers the time the SAP system and the database need until an update or insert request is processed and the lock record is removed.
However, using a performant system does not help when, for example, a user has a sales order open via transaction code VA02 while he or she is at lunch.
Comment From Faizal: What information will you be sharing during the conference in February? I’m trying to sell the conference to my boss, but it’s not as easy as it once was to get approvals to go unless it’s really beneficial.
Deb Donohoe: Hi, Faizal. I have three sessions scheduled as well as a meet-up time. And we will have people on-site during the entire conference to be available for any one-on-one discussions. My preconference workshop will go into the basics of how systems are set up, familiarizing terminology, where possible issues can arise and why. I also have a security session and a session on how to prepare for an upgrade and Unicode (UC) conversion as part of the path toward SAP HANA. The content is very beneficial as is the opportunity to meet and ask questions. I hope this helps you.
Comment From Carla: During monthly Microsoft patches, has anyone used scripts to stop and start the SAP system, or should this be done manually on productive systems?
Christian Baessler: Hello, Carla. You could use scripts for automating Microsoft patches and the recommended stopping and starting of the SAP system during this time.
But honestly, I don’t like that at all in an SAP environment, in particular not on a productive system. Things tend to go wrong occasionally or change during these patches, and therefore, this step is usually not fully automated.
If the question is just on scripting, a stop process of the SAP system before you actually kick off (manually) the Microsoft patches is possible. In a Unix world the start-stop process is scripted, and it can be easily done via a small bat script on Windows as well.
Comment From Josue: How can I find a solution for short dumps TSV_TNEW_PAGE_ALLOC_FAILED? I am using standard transaction code KEU5 and the latest Support Package Stack.
Deb Donohoe: Hi, Josue. Generally, this error indicates that there is too much data being selected. I would start by going back to the users and asking them how they are running it. Are they specifying the fiscal period and year or are these parameters wide open?
Comment From rudi vanstraelen: Hi, it’s the first time I have joined such a session. In case of a performance issue where should we start and eliminate causes step by step? Which level should be first? What are useful transaction codes? Thank you.
Christian Baessler: Rudi, I just answered a question from Srini around performance. In your particular case — in your first question you mentioned SAP BW being slower after the upgrade — it might apply as well. With regard to the questions you posted here, is the overall performance of the system slow? Is reporting slower than before the upgrade? Are the process chains slower than before the upgrade?
SAP BW is slightly different from a performance aspect, in particular from the expectations the user has for the system. In an SAP ECC system, the average response time is often critical (a couple of 100 milliseconds) as the users have a lot of interaction with the SAP system; however, in an SAP BW system, it is often the runtime of background jobs (job chains) or reports.
Comment From Qui Developers: We would like more recent data in the development instance. What is the best practice for achieving this goal?
Deb Donohoe: Hi, Qui. You have a couple of options. In the past, it was simply to do a client copy from production since no one wanted to ever refresh development. But a client copy may impact production performance. More often now we see companies doing a refresh (database copy) from production as long as certain steps are in place and certain criteria. So it will depend on resources available and limitations. For example, is it acceptable to have an SAP DEV instance that is as large as your PRD? Is there infrastructure available to support that.
Comment From John: We are running SAP on an iSeries using zebra printers to print barcode labels. At night, we have connection problems where it takes up to five minutes for a batch of labels to start printing. We have changed the number of spool processes to be the same as daytime settings, but we still have times where it seems that the SAP system and printers go to sleep. How can we find out what is causing this issue?
Christian Baessler: John, iSeries is obviously its own little world. However, have you narrowed down where the delays happen?
Is the spool showing up in SP01 within a normal time? How long does it take to transfer the spool request to the OS (SP01)?
The next step is to go to the spool on your print server. Are the zebras maintained on your iSeries or on a different server (Windows or Unix)? Check there how long it takes until the spool is transferred to the printer.
That should narrow down in a first step where to investigate further.
iSeries in that aspect is not different from Windows or Unix. However, the tools are different (compared with Windows or Unix) in case you use the iSeries spool.
Comment From Josue: Do you recommend Spectre and Meltdown patches? Have you seen performance issues in SAP environments?
Deb Donohoe: Hi, Josue. I am currently working with a customer on that, but it is too premature for me to have any information on performance at this time. I expect to have more information available by the time of the conference.
Comment From Josue: What about specifying fiscal period and year?
Deb Donohoe: You could check database statistics and then try to replicate in QA (is it recently refreshed?) what else is scheduled during this window that could impact retrieving the data?
Comment From saikrishna: Hi, how does Basis administration differ in SAP HANA systems compared with the legacy systems based on SAP NetWeaver?
Christian Baessler: Saikrishna, I assume you mean that SAP Business Suite is running on SAP HANA instead of on another database?
From an SAP perspective (within SAP) not much will change.
The big difference is obviously the administration around and in the database and the client installed on the SAP Primary Application Server (PAS) and other servers to connect to SAP HANA.
You need to become familiar with the concept, the tools, and the terms around SAP HANA. SAP HANA’s technical makeup and architecture still resemble a relational database, so SAP HANA is similar to your understanding of any other database.
The admin tools are actually quite nice compared with SAP’s other database (Adaptive Server Enterprise [ASE]).
For the Windows admins it is a change, as SAP HANA is running on Linux only. For many admins that is the biggest change.
Generally, I find that when you come from Oracle, the move to SAP HANA is relatively easy as you are used to commands and architectural details due to the lack of a useful graphical admin tool. SAP HANA is, in my opinion, much better, and documentation is also pretty good.
When you come from ASE, it only can get better.
When you come from Microsoft SQL Server, that might be the biggest change. It’s not as nice as the Microsoft SQL Server admin tools. But the transition is manageable (via Linux).
Comment From Eric: These days, most SAP systems are ABAP based. I’m curious about what type of Java stack administration skills you think are important to understand? Any particularly challenging areas you have come across?
Deb Donohoe: Hi, Eric. The most important aspect of the Java stack is the memory consumption and management. Java is particularly bad at cleaning up after itself, especially on Windows servers. Being able to navigate the log files and understand what those entries mean is important for troubleshooting.
Comment From Faizal: What tools can I use to pinpoint performance measurements and identify issues from the application, database, and hardware layers?
Christian Baessler: Faizal, there are many tools in the market. Some are more focused on hardware and OS performance measurement with a little insight to the SAP system; others are stronger and focus on SAP system-specific key performance indicators (KPIs).
The tool coming with your SAP license is Technical Monitoring running on SAP Solution Manager. Several users in the environment we are working with use Technical Monitoring successfully.
The performance of Technical Monitoring in SAP Solution Manager 7.01 was not as useful as it is with Solution Manager 7.1, and it became decent with SAP Solution Manager 7.2.
With Focused Insights for SAP Solution Manager (formerly Operations Control Center [OCC]) you can enable a good-looking tool for the hallway screen to see if your SAP instances are healthy (additional licensing is necessary).
Comment From: Can you provide tips on the best way to manage users and secure your system? What types of daily, monthly, and quarterly monitoring are needed to support business needs? After I execute transaction code ST02, what should I look for in performance?
Deb Donohoe: Hi. Quick checks are to see if the HitRatio percent for the buffers is in the 90s. The higher and closer to 100 percent the HitRatio is, the better. Also look at the swaps column. If there are swaps, it means that less is better; none is best.
Comment From Eric: What would you say are key things for a Basis person to understand about ABAP development to be effective?
Christian Baessler: Eric, several questions asked today are around performance. I truly think that a fundamental ABAP knowledge is needed to understand about 50 percent of the performance bottlenecks I encounter. Many of these costly bottlenecks are the result of poor programming.
So I think ABAP knowledge for a Basis admin is very helpful for performance troubleshooting. That includes obviously techniques on efficient performant programming.
Comment From Sonya: What are some of the best techniques (for non-Basis professionals) to diagnose system issues? For example, one or more users’ reports slow system response? How do you validate this? How can you measure system performance or tell that a slowdown has happened through monitoring or researching after the event?
Christian Baessler: Sonya, a few questions were around performance monitoring troubleshooting.
This is a field that needs a holistic understanding of an SAP system or landscape. It’s usually one of the more difficult tasks when performance is lacking to narrow down the root cause.
I’m sorry to say that there is not an easy checklist with possible root causes and the solution.
In another answer I briefly explained the steps to check entry points, such as SM50, ST06, CPU, and RAM, to determine if a particular type of program or transaction is slow while others are not, and so on.
Comment From Josue: Do you recommend completing a UC conversion and an SAP Enhancement Package 7 (EHP7) upgrade at the same time as an SAP HANA database migration? Or should these be done in separate projects?
Deb Donohoe: Hi, Josue. UC conversion is a prerequisite, so you can do that ahead of time. You can do the upgrade and migration at the same time. However, if your database is very large, and your downtime window is shorter, you may need to separate them.
Bridget Kotelly: Hi, everyone. That wraps up our time for today’s live Q&A. Thanks to everyone who participated for your great questions.
To learn more on this topic, and many other SAP admin topics as well, join us at Basis & SAP Administration 2018 this February 26–March 2, 2018, in Las Vegas. To find out more and to register, click here.
Deb and Christian, thanks again for joining us today for a great chat.