Upload
learnitfirst
View
224
Download
0
Embed Size (px)
Citation preview
8/14/2019 Miscellaneous Administration Topics
1/196
8/14/2019 Miscellaneous Administration Topics
2/196
p. 1
Chapter 8: Miscellaneous
Administration
1
Presented by Scott Whigham
8/14/2019 Miscellaneous Administration Topics
3/196
p. 2
Overvie
w ChapterIntroduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
an
agement Resource
Governor Policy-Based
Management
Powershell
FILESTREAM
Snapshots
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
4/196
p. 3
Chapter 8 covers several unrelated topics All essential to being a DBA
None large enough to warrant a full chapter
Chapter Introduction
8/14/2019 Miscellaneous Administration Topics
5/196
p. 4
Overvie
w ChapterIntroduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
an
agement Resource
Governor Policy-Based
Management
Powershell
FILESTREAM
Snapshots
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
6/196
p. 5
There are several techniques for movingand copying databases
BACKUP and RESTORE
DETACH and ATTACH
SQL Server Integration Services
Copy Database Wizard
Moving and Copying Databases
8/14/2019 Miscellaneous Administration Topics
7/196p. 6
Depending on which technique you us,you can copy and move:
On the same server
Onto multiple servers
Multiple databases at the same time
Moving and Copying Databases
8/14/2019 Miscellaneous Administration Topics
8/196p. 7
In the next few videos, well seeexamples of how to move and copy
databases using the following
techniques: BACKUP and RESTORE
DETACH and ATTACH
SQL Server Integration Services
Copy Database Wizard
Moving and Copying Databases
8/14/2019 Miscellaneous Administration Topics
9/196p. 8
Chapter 8: Miscellaneous
Administration
8
Presented by Scott Whigham
8/14/2019 Miscellaneous Administration Topics
10/196p. 9
Overvie
w ChapterIntroduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
an
agement Resource
Governor Policy-Based
Management
Powershell
FILESTREAM
Snapshots
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
11/196p. 10
Way back in Chapter 5 (security) wetalked about how user accounts are
related to logins via the security
identifier (SID) Not by name
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
12/196p. 11
User accounts that previously had a loginbut now have no associated login are
called orphaned users
Orphans can be created: By deleting logins
By copying/moving database to new instance
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
13/196p. 12
1. When you delete a login, theassociated users are not deleted
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
14/196p. 13
2. When you copy/move a database to adifferent instance, the user accounts
may be orphaned
If the destination instance does not have loginsfor the user account SIDs, the user accounts
will be orphaned
If the destination has logins with the expected
SIDs, the user accounts will be mapped
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
15/196p. 14
Windows authentication logins: If your user accounts are built on Windows
user/group authentication logins, just create the
Windows authentication login in the SQL Server
Remember from Chapter 5 that the SID is the actual
Windows SID therefore the login/user will be mapped
automatically
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
16/196p. 15
SQL Server authentication logins: For SQL Server authentication login-based user
accounts, simply creating the login with the
expected name wont work
CREATE LOGIN generates a random SID
Later on, well cover how to fix!
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
17/196p. 16
You will encounter this problem often The user accounts are stored in the database but
logins are not
Any time you copy/move a database, you have to
deal with this issue
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
18/196p. 17
Well talk about how to identifyorphaned users and strategies for
resolving
In the next video
8/14/2019 Miscellaneous Administration Topics
19/196p. 18
Chapter 8: Miscellaneous
Administration
18
Presented by Scott Whigham
8/14/2019 Miscellaneous Administration Topics
20/196
8/14/2019 Miscellaneous Administration Topics
21/196p. 20
There are several ways to identifyorphaned users
1. sp_change_users_login stored proc
2. Query the sys.database_principals view to locateusers with no matching sid in
sys.server_principals
3. Use SSMSs graphical tools
How to Identify Orphaned Users
8/14/2019 Miscellaneous Administration Topics
22/196p. 21
There are two solutions to this problem:1. Use sp_change_users_login stored procedure
2. Script out the login complete with SID from the
source server and run script on destination
server
Orphaned Users
8/14/2019 Miscellaneous Administration Topics
23/196
p. 22
Lets take a look at usingsp_change_users_login and scripting
techniques!
Lets demo!
8/14/2019 Miscellaneous Administration Topics
24/196
p. 23
Chapter 8: Miscellaneous
Administration
23
Presented by Scott Whigham
8/14/2019 Miscellaneous Administration Topics
25/196
p. 24
Overvie
w Chapter
Introduction Moving and
Copying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
an
agement Resource
Governor Policy-Based
Management
Powershell
FILESTREAM
Snapshots
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
26/196
p. 25
SQL Server 2008 allows you to load .NETDLLs (called assemblies) into your
databases
Assemblies can be written in any language thatimplements that .NET Common Language Runtime
(CLR)
C#, Visual Basic, etc
Often called managed code or managed assemblies
CLR Assemblies
8/14/2019 Miscellaneous Administration Topics
27/196
p. 26
An assembly loaded into SQL Server cancontain one or more:
Stored procedures
User-defined functions Triggers and more
CLR Assemblies
8/14/2019 Miscellaneous Administration Topics
28/196
p. 27
Why would we need to use CLRassemblies?
Mostly because certain operations are more
efficient in .NET than Transact-SQL Examples: string manipulation, regular expressions
Secondly because .NET can do things Transact-SQL
cannot do
Example: create table results containing file and folderinfo
CLR Assemblies
8/14/2019 Miscellaneous Administration Topics
29/196
p. 28
What does this have to do with the DBA? As the gate keeper, you must decide whether to
allow and, if you do allow, to what extent you
allow CLR integration
Remember the Principal of Least Privilege! http://learnitfirst.com/go.aspx?id=LPSX
CLR Assemblies
8/14/2019 Miscellaneous Administration Topics
30/196
p. 29
CLR integration is disabled by default Enabled using the sp_configure stored proc
CLR Assemblies
8/14/2019 Miscellaneous Administration Topics
31/196
p. 30
-- To view setting:EXEC sp_configure 'clr enabled'
-- run_value = 1: enabled
-- To enable:
EXEC sp_configure 'clr enabled', 1
GORECONFIGURE WITH OVERRIDE
CLR Assemblies
8/14/2019 Miscellaneous Administration Topics
32/196
p. 31
Well talk about permission sets and howto configure security for CLR objects
In the next video
8/14/2019 Miscellaneous Administration Topics
33/196
p. 32
Chapter 8: Miscellaneous
Administration
32
Presented by Scott Whigham
8/14/2019 Miscellaneous Administration Topics
34/196
p. 33
Overvie
w Chapter
Introduction Moving and
Copying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
an
ageme
nt Resource
Governor Policy-Based
Management
Powershell
FILESTREAM
Snapshots
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
35/196
p. 34
Once you enable SQL CLR, you mustdecide which permissions to allow
When you install an assembly, you must
determine its Host Policy Level SAFE
EXTERNAL_ACCESS
UNSAFE
CLR Assemblies
8/14/2019 Miscellaneous Administration Topics
36/196
p. 35
SAFE is the default and most secure Cannot go outside the SQL Server process
Can connect to SQL Server in-process
SAFE
8/14/2019 Miscellaneous Administration Topics
37/196
p. 36
EXTERNAL_ACCESS is SAFE plus go outof process
Can do all that SAFE can do
Can also go outside the SQL Server process toaccess external resources
Read files and folders
Read environmental variables
Read registry
more
EXTERNAL_ACCESS
8/14/2019 Miscellaneous Administration Topics
38/196
8/14/2019 Miscellaneous Administration Topics
39/196
p. 38
As a DBA, you cannot know every nuanceof every language that can write
managed code assemblies
Must coordinate with developer tounderstand security needs
How do I know which to use?
8/14/2019 Miscellaneous Administration Topics
40/196
8/14/2019 Miscellaneous Administration Topics
41/196
p. 40
Each permission set has differentrequirements for creation:
SAFE: requires CREATE ASSEMBLY permissionin the database
EXTERNAL_ACCESS: SAFE plus EXTERNALACCESS ASSEMBLY server permission
UNSAFE: sysadmins only!
How do I know which to use?
8/14/2019 Miscellaneous Administration Topics
42/196
p. 41
Create assembly in the [LearnItFirst.com]database
USE [LearnItFirst.com]GO
CREATE ASSEMBLY LIFRegEx
FROM C:\MyAssembly.DLL
WITH PERMISSION_SET = SAFE
How do I know which to use?
8/14/2019 Miscellaneous Administration Topics
43/196
p. 42
Can change permission set with ALTERASSEMBLY
ALTER ASSEMBLY LIFRegEx
WITH PERMISSION_SET =
EXTERNAL_ACCESS
How do I know which to use?
8/14/2019 Miscellaneous Administration Topics
44/196
p. 43
With respect to the CLR, the DBA isexpected, at a minimum, to be able to:
To be able to explain what the CLR is
To be able to make suggestions related to when touse the CLR for certain operations
To be able to stop developers from using CLR
unnecessarily
To understand the various permission sets
The DBAs Role
8/14/2019 Miscellaneous Administration Topics
45/196
p. 44
To reiterate: you are not expected toknow every single language
Dont be intimidated by the CLR
If a manager tells you that, You have to know C#to be a good DBA during a job interview, you do
not want to work for that person!
.. Well, how much does it pay again?
The DBAs Role
8/14/2019 Miscellaneous Administration Topics
46/196
p. 45
Chapter 8: Miscellaneous
Administration
45
Presented by Scott Whigham
8/14/2019 Miscellaneous Administration Topics
47/196
p. 46
Overvie
w Chapter
Introduction Moving and
Copying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
an
ageme
nt Resource
Governor Policy-Based
Management
Powershell
FILESTREAM
Snapshots
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
48/196
p. 47
The Resource Governor: New in SQL 2008
Allows you to limit resources
based on certain criteria
CPU, memory, number of
requests, more
Only available in Enterprise
and Developer editions
The Resource Governor
img by eliburd @ flickr.com
l
8/14/2019 Miscellaneous Administration Topics
49/196
p. 48
Examples uses of the Resource Governor Can prevent expensive queries from consuming
more than an allowed amount of memory or CPU
Limit the amount of CPU that backup compression
can consume Ensure that specific applications cannot issue
queries or workloads that are unhealthy to the restof the server
Web host wants to provide guaranteed levels ofservice to multiple clients
Example Usage
l
8/14/2019 Miscellaneous Administration Topics
50/196
p. 49
The basics of how it works:1. DBA creates a resource pool
2. DBA assigns the resource pool one or more
workload groups
3. DBA writes a classifier function that binds
incoming sessions to the appropriate workload
group
Example Usage
Th R G
8/14/2019 Miscellaneous Administration Topics
51/196
p. 50
The Resource Governor
Source: Using the Resource Governor, white paper, Microsoft 2009
8/14/2019 Miscellaneous Administration Topics
52/196
W kl d G
8/14/2019 Miscellaneous Administration Topics
53/196
p. 52
Workload groups allow more granularsettings
Workload Groups
W kl d G
8/14/2019 Miscellaneous Administration Topics
54/196
p. 53
Settings available for workload groups: 0 means unlimited for all
Maximum Requests
Max number of simultaneous requests
CPU Time (sec)
Max amount of CPU time that a request can use
Memory Grant %
Max amount of memory a single request can take from the pool
Grant Time-out (sec)
Max time that a query can wait for a resource before the query fails
Degree of Parallelism
Max degree of parallelism for parallel requests. Range is 0 to 64
Workload Groups
8/14/2019 Miscellaneous Administration Topics
55/196
The Classifier F nction
8/14/2019 Miscellaneous Administration Topics
56/196
p. 55
The classifier function: There can be only one
If it returns NULL or a non-existent group, the
session is bound to the defaultworkload group
Sessions are bound to the workload group for life
The Classifier Function
Putting It All Together
8/14/2019 Miscellaneous Administration Topics
57/196
p. 56
After enabling the Resource Governorand putting a classification function in
place:
1. User logs in2. The login authentication is verified
3. Upon successful authentication, any LOGON
triggers are executed
4. Finally, classification occurs
Putting It All Together
Words of Wisdom
8/14/2019 Miscellaneous Administration Topics
58/196
p. 57
A final word of caution Be ready
If you mess up your classifier function, youve messed
up the entire server
Only Dedicated Administrator Connection (DAC)sessions can bypass classification
If a problem arises, log in as DAC and remove classifier
Words of Wisdom
Lets play!
8/14/2019 Miscellaneous Administration Topics
59/196
p. 58
In the next video, lets play with theResource Governor!
Let s play!
8/14/2019 Miscellaneous Administration Topics
60/196
p. 59
Chapter 8: Miscellaneous
Administration
59
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
61/196
p. 60
Overvie
w Chapter
Introduction Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
anageme
nt Resource
Governor Policy-Based
Management
Powershell
FILESTREAM
Snapshots
What We re Going to Cover
Policy Based Management
8/14/2019 Miscellaneous Administration Topics
62/196
p. 61
Windows administrators have long beenfamiliar with policy-based management
All user accounts must change their password
every 42 days and it must contain letters, numbers,
and special characters
Policy-Based Management
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
63/196
p. 62
DBAs have always had standards andbusiness rules
All stored procedures must begin with usp_
No database may have AutoShrink turned on However, what we havent had is a way to
enforce them automatically
Policy-Based Management
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
64/196
p. 63
SQL Server 2008 introduces Policy-BasedManagement (PBM)
Allows DBA to define business rules (i.e.policies)
that can either be:
Automatically enforced by SQL Server (i.e. prevent non-
compliant modifications)
Reported to the DBA as non-compliant
Policy-Based Management
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
65/196
p. 65
Nearly all DBAs have a daily task list: Verify backups
Look for anomalies (low disk space, unrecognized
files or folders, etc)
Check the error logs
Check the job logs
and many more tasks
Policy-Based Management
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
66/196
p. 66
One such task is to verify that newservers are compliant
Example: Have any new servers been installed?
If Yes, are they up to our standards?
Evaluation or Developer Edition only unless installed by DBAs
(to ensure licensing compliance)
Minimum build number
MYDOMAIN\SQLDBAsWindows group is sysadmin
Authentication mode is Windows-only (a.k.a. Integrated)
Policy Based Management
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
67/196
p. 67
Another task is ensuring no changes haveoccurred that result in databases/objects
being non-compliant
Are all production databases Online
Using correct recovery model
Are there any new [tables/views/functions/procs]?
Do they meet naming conventions?
Policy Based Management
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
68/196
p. 68
Manual enforcement of these types ofpolicies is error prone and a time sink
Spending just 10 minutes a day on manually
enforcing policies adds up to more than 40 hours
at the end of a year
An entire work week!
How much time did you have to spend during the
yearfixing a problem that occurred because ofnon-compliance?
Policy Based Management
In the next video
8/14/2019 Miscellaneous Administration Topics
69/196
p. 69
Well take a look at the terms andconcepts behind SQL Server 2008s PBM
In the next video
8/14/2019 Miscellaneous Administration Topics
70/196
p. 70
Chapter 8: Miscellaneous
Administration
70
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
71/196
p. 71
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
anageme
nt Resource
Governor Policy-Based
Management
Powershell
FILESTREAM Snapshots
What We re Going to Cover
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
72/196
p. 72
Understanding SQL Servers policy-basedadministration is
Easy because we are all familiar with the basic
ideas behind policy-based management
Difficult due to having to learn new abstraction-
layer-type terms
Policy Based Management
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
73/196
p. 73
First, lets talk about what you can police: Nearly anything that has properties
Okay, so what items in SQL Server have
properties? Everything
y g
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
74/196
p. 74
Are you saying that I can create a policyon anything I want?
Pretty much!
What cant I police? Anything you would normally do in a constraint or
trigger
Anything you would normally do with Resource
Governor
y g
8/14/2019 Miscellaneous Administration Topics
75/196
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
76/196
p. 76
It only takes two steps to define yourpolicies:
Step 1: Create a condition
Step 2: Create thepolicybuilt on the condition
y g
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
77/196
p. 77
Conditions define what you want topolice
I want to ensure that all stored procedures in
our WebMarketing database start with usp_
No database may have AutoShrink turned on
This may seem like the policy but
y g
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
78/196
p. 78
Policies define the action you want tooccur when a set of conditions is met
A developer should receive an error if they try to
create a stored procedure in our WebMarketing
database that does not start with usp_
y g
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
79/196
p. 79
A (weak?) analogy: Conditions are like SELECT statements
Rows that are returned from running the query are
compliant
SELECT * FROM sys.procedures
WHERE name LIKE 'usp_%'
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
80/196
p. 80
So far, so good, right? Nothing too difficult yet
Lets make things a bit more complicated in the
next video!
8/14/2019 Miscellaneous Administration Topics
81/196
p. 81
Chapter 8: Miscellaneous
Administration
81
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
82/196
p. 82
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
anageme
nt Resource
Governor Policy-Based
Management
Powershell
FILESTREAM Snapshots
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
83/196
p. 83
In truth, PBM is quite easy The tricky parts are:
Understanding terms likefacet,property, and
target Understanding which facets allow which
evaluation modes
Writing conditions and always being positive
8/14/2019 Miscellaneous Administration Topics
84/196
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
85/196
p. 85
Each facet contains at least oneproperty Properties have values
To retrieve or query a propertys value,
you write an expression
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
86/196
p. 86
Example facet: The Stored Procedurefacet has several properties:
Name
CreateDate
Schema
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
87/196
p. 87
To continue our previous analogy in
which a condition was similar to a SELECT
statement
Think of the facet as what occurs after the FROM Think of the property as the column
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
88/196
p. 88
Consider this query:
SELECT * FROM sys.procedures
WHERE name LIKE 'usp_%
In this example, sys.procedures wouldrepresent the Stored Procedure facet andname would represent the facets Nameproperty
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
89/196
p. 89
We write our conditions against facets
Our desired condition: All stored procedures in
the WebMarketing database must begin with
usp_
Which two facets will we use?
1. _________________________
2. _________________________
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
90/196
p. 90
We write our conditions against facets
Our desired policy: All stored procedures in the
WebMarketing database must begin with usp_
Which two facets will we use?
1. Stored Procedure
2. Database
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
91/196
p. 91
Explanation:
Stored procedure is the facet and we must find
all stored procedures whose Name property starts
with usp_
Database is the facet and we must find only thatdatabase whose name is WebMarketing
In the next video
8/14/2019 Miscellaneous Administration Topics
92/196
p. 92
Well learn more about expressions and
the mindset of writing conditions and
policies
8/14/2019 Miscellaneous Administration Topics
93/196
p. 93
Chapter 8: Miscellaneous
Administration
93
Presented by Scott Whigham
8/14/2019 Miscellaneous Administration Topics
94/196
8/14/2019 Miscellaneous Administration Topics
95/196
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
96/196
p. 96
Expression syntax is not difficult
Operators are same as C#: ==, !=, etc
Functions are similar to C# and T-SQL:
GETDATE() returns current system date/time
ISNULL() returns true/false to indicate if an expression is
null
Conditions are similar to Transact-SQL
LIKE and NOT LIKE, IN and NOT IN
Double-quotes around strings
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
97/196
p. 97
Expression syntax is used in the graphical
tools only
If you want to script out your conditions, you must
write XML!
8/14/2019 Miscellaneous Administration Topics
98/196
8/14/2019 Miscellaneous Administration Topics
99/196
Policy-Based Management
8/14/2019 Miscellaneous Administration Topics
100/196
p. 100
Policies also have Categories (a.k.a. Policy
Groups)
Can run the entire category against a
database/server instead of one-policy-at-a-time
Can mandate that new databases participate
8/14/2019 Miscellaneous Administration Topics
101/196
8/14/2019 Miscellaneous Administration Topics
102/196
p. 102
Chapter 8: Miscellaneous
Administration
102
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
103/196
p. 103
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies M
anageme
nt Resource
Governor Policy-Based
Management
Powershell
FILESTREAM Snapshots
Evaluations
8/14/2019 Miscellaneous Administration Topics
104/196
p. 104
Anytime a policy is evaluatedand finds
non-compliance, it logs the offender
In the SQL Server error Log
In the Windows Application log
In the msdb database
Be prepared for msdb growth!
Execution Modes
8/14/2019 Miscellaneous Administration Topics
105/196
p. 105
Policies also have Execution Modes which
determine
When the policy will be evaluated
The response to non-compliance
Execution Modes
8/14/2019 Miscellaneous Administration Topics
106/196
p. 106
There are four execution modes:
On demand
On schedule
On change: prevent
On change: log only
Not all facets support all execution modes
Execution Modes
8/14/2019 Miscellaneous Administration Topics
107/196
p. 107
On demand: policies are not evaluated
unless manually done so by admin
Useful for audits and non-critical policies
Supported by all facets
Actions taken:
Raises error #34052
Logs infraction
Execution Modes
8/14/2019 Miscellaneous Administration Topics
108/196
p. 108
On schedule: a SQL Server job is createdthat periodically evaluates the policy Useful when evaluation performance impacts
system
Supported by all database-engine facets
Job does not error out if policy violations found
Writes errors to the logs and evaluation history
Actions taken:
Raises error #34052
Logs infraction
Execution Modes
8/14/2019 Miscellaneous Administration Topics
109/196
p. 109
On change: log: logs non-compliance
only
Useful when you want a history of policy
Supported by few facets
Actions taken:
Logs infraction
Execution Modes
8/14/2019 Miscellaneous Administration Topics
110/196
p. 110
On change: prevent: non-compliance is
not allowed
Useful to prevent critical changes
Expensive
Supported by fewest facets
Actions taken:
Rolls back user transaction
Raises error #34050 or #34051
Logs infraction
Summary
8/14/2019 Miscellaneous Administration Topics
111/196
p. 111
Facet On change: log On change: prevent
Application Role a a
Asymmetric Key a a
Database Option a
Database Role a a
Login Options a a
Resource Pool a a
Schema a a
Server Configuration a
Stored Procedure, Functions, Views a a
Table Options a a
Workload Group a a
8/14/2019 Miscellaneous Administration Topics
112/196
8/14/2019 Miscellaneous Administration Topics
113/196
8/14/2019 Miscellaneous Administration Topics
114/196
8/14/2019 Miscellaneous Administration Topics
115/196
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
116/196
p. 116
If you want to prevent someone who is
not a sysadmin from adding a database,
then this is apermission
If you want to report on the databasesthat are currently not owned by
sysadmins, then you want apolicy
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
117/196
p. 117
Do policies take the place of permissions
in SQL Server 2008?
No!
Policies and permissions actually have nothing to
do with one another
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
118/196
p. 118
Generally speaking, actions that can be
prevented by permission are not
preventable using On change: prevent
Example: preventing someone from creating
databases, tables, procs, etc
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
119/196
p. 119
Prevention policies are things you have
permission to do but, for some reason,
management doesnt want you doing
them
Such as creating stored procs in the
WebMarketing database that do not start with
usp_
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
120/196
p. 120
Remember our policy: We want all
stored procedures in WebMarketing to
start with usp_
Is this a permission or a policy?
A policy however the user still needs the CREATE PROC
permission in the database!
In the next video
8/14/2019 Miscellaneous Administration Topics
121/196
p. 121
Well discuss how to write effective
conditions and policies
8/14/2019 Miscellaneous Administration Topics
122/196
p. 122
Chapter 8: Miscellaneous
Administration
122
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
123/196
p. 123
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies Ma
nagement Resource
Governor
Policy-BasedManagement
Powershell
FILESTREAM Snapshots
8/14/2019 Miscellaneous Administration Topics
124/196
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
125/196
p. 125
Example policy requirement: All
databases must be owned by the sa
This requires one condition since there is only one
facet (Database facet)
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
126/196
p. 126
How would you write the condition?
1. To return databases owned by the sa
2. To return databases not owned by the sa
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
127/196
p. 127
How would you write the condition?
To return databases owned by the sa
To return databases not owned by the sa
Your conditions define the ideal, not the
exception
Since we want only sa-owned databases,our condition is where @Name=sa
8/14/2019 Miscellaneous Administration Topics
128/196
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
129/196
p. 129
We have the choice of writing our Stored
Procedure condition so that it returns:
Stored procs that start with usp_
Stored procs that do notstart with usp_
Which do we choose?
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
130/196
p. 130
We have the choice of writing our Stored
Procedure condition so that it returns:
Stored procs that start with usp_
Stored procs that do notstart with usp_
Remember we want our conditions to
define what we do want, not what we
dont want
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
131/196
p. 131
To understand why it is this way, consider
our options for the second facet
(Database facet):
Database named WebMarketing
Databases not named WebMarketing
Clearly we choose the first option
Writing Policies and Conditions
8/14/2019 Miscellaneous Administration Topics
132/196
p. 132
The final step is to create a policy on these two
conditions
8/14/2019 Miscellaneous Administration Topics
133/196
8/14/2019 Miscellaneous Administration Topics
134/196
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
135/196
p. 135
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies Ma
nagement Resource
Governor
Policy-BasedManagement
Powershell
FILESTREAM Snapshots
PowerShell!
8/14/2019 Miscellaneous Administration Topics
136/196
p. 136
PowerShell support for SQL Server 2008 is
included in SSMS
PowerShell is a very extensible and
powerful scripting shell that allowsadmins to script (automate)
administration functions
PowerShell!
8/14/2019 Miscellaneous Administration Topics
137/196
p. 137
If you know DOS, you can easily get
started with PowerShell (PS)
Commands like dir, del, cd perform the same
function in PS
PowerShell can do everything you can do
at the command line and more
PowerShell!
8/14/2019 Miscellaneous Administration Topics
138/196
p. 138
So why talk about PowerShell in a SQL
admin course?
SQL DBAs can automate SQL Server via PowerShell
scripts!
This allows for uniformity across the enterprise
Anyone who knows PowerShell can write scripts
Allows integration between systems - can load Windows
Event Logs into SQL Server tables for analysis via PS
PowerShell!
8/14/2019 Miscellaneous Administration Topics
139/196
p. 139
You can manage your SQL Server by
Issuing PS commands directly into the PS shell
(powershell.exe)
Executing PS files that contain PS scripts
C:\Scripts\DeployNewServer.ps1
Creating SQL Server jobs that execute PowerShell
steps
PowerShell!
8/14/2019 Miscellaneous Administration Topics
140/196
p. 140
Full coverage of PS is beyond the scope of
this course however there are several
concepts you will need to know
Lets start with the basics
PowerShell!
8/14/2019 Miscellaneous Administration Topics
141/196
p. 141
PowerShell and the OS:
Included in Windows 2008 and Windows 7
Download for Windows 2003, Vista, XP, etc
Versions of PowerShell
2.0 - Windows 2008 R2 and Windows 7
1.0 - Windows 2008, Windows 2003, Vista, XP
http://www.microsoft/powershell
PowerShell!
8/14/2019 Miscellaneous Administration Topics
142/196
p. 142
SQL Server 2008 ships
with the sqlps.exe, a
minishell
Can drop to command line
and just run sqlps to
manage servers
Integrated into SSMS
PowerShell!
8/14/2019 Miscellaneous Administration Topics
143/196
p. 143
The sqlps minishell incorporates several
cmdlets for managing SQL Server
Pronounced commandlets
cmdlets are .NET classes invoked by
PowerShell at runtime
Common cmdlets included in sqlps:
Invoke-Sqlcmd
Invoke-PolicyEvaluation
In the next video
8/14/2019 Miscellaneous Administration Topics
144/196
p. 144
PowerShell is easier to demo than talk
about!
8/14/2019 Miscellaneous Administration Topics
145/196
p. 145
Chapter 8: Miscellaneous
Administration
145
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
146/196
p. 146
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies Ma
nagement Resource
Governor
Policy-BasedManagement
Powershell
FILESTREAM Snapshots
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
147/196
p. 147
Lets compare data storage/access of
1990 to 2010 for a health insurance
company
1990: Storage: DB2
Tables to store an insured family: 25
Type of data stored: row data only
Export formats: CSV, text
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
148/196
p. 148
2010:
Storage: SQL Server 2008
Tables to store an insured family: 50
Type of data stored: row data, xml, images, audio
Export formats: CSV, text, xml, images, audio
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
149/196
p. 149
Todays companies have to deal not just
with row data but unstructured data as
well
Legal firms need transactional support for MS
Word, Excel documents
Health industry needs transactional support for
imaging
Music industry needs transactional support foraudio
8/14/2019 Miscellaneous Administration Topics
150/196
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
151/196
p. 151
Files are stored in a folder in the file
system that requires additional
permissions
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
152/196
p. 152
Beginning in SQL Server 2005, we could store
unstructured data in the form of files in anew data type, VARBINARY(MAX)
Replaced the older image data type
Pros: transactional support, simplify backup/restore,native SQL Server security, never stale, can separate
storage using filegroups
Cons: speed, data must be converted in/out to binary
format, limited to 2GB files, explosion of databasegrowth, buffer pool memory used to access data
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
153/196
p. 153
Files are stored in a VARBINARY(MAX)
column as a Binary Large Object (BLOB)
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
154/196
p. 154
SQL Server 2008 introduces FILESTREAM
access
Sort of a blend of file system pointers and
VARBINARY(MAX) techniques
Data is stored in the NTFS filesystem Improved speed, separation of storage
All data access is through SQL Server
Single point of security, full transactional support, full-text indexing, no stale links
8/14/2019 Miscellaneous Administration Topics
155/196
Unstructured Data
8/14/2019 Miscellaneous Administration Topics
156/196
p. 156
More about FILESTREAM:
Works in all editions
Allows full ROLLBACK support
Supported on clusters and in log shipping
No limit on file size
VARBINARY(MAX) is limited to 2GB
VARBINARY(MAX) FILESTREAM has no such limit
In the next video
8/14/2019 Miscellaneous Administration Topics
157/196
p. 157
Well cover more DBA-related details
about FILESTREAM
8/14/2019 Miscellaneous Administration Topics
158/196
p. 158
Chapter 8: Miscellaneous
Administration
158
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
159/196
p. 159
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies Ma
nagement Resource
Governor
Policy-BasedManagement
Powershell
FILESTREAM Snapshots
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
160/196
p. 160
To use FILESTREAM for a database, follow
these five steps:
1. Enable FILESTREAM for the instance
2. Add a FILESTREAM-enabled filegroup to the
database
3. Add one or more files to the new filegroup
4. Create your column and assign it the FILESTREAM
attribute5. Load your data!
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
161/196
p. 161
To use FILESTREAM for a database, follow
these five steps:
1. Enable FILESTREAM for the instance
2. Add a FILESTREAM-enabled filegroup to the
database
3. Add one or more files to the new filegroup
4. Create your column and assign it the FILESTREAM
attribute5. Load your data!
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
162/196
p. 162
FILESTREAM requires
both SQL Server DBA
and the Windows
admin
The SQL Server Service
must be configured for
FILESTREAM access first
using the SQL ServerConfiguration Manager
d
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
163/196
p. 163
Inside SQL Server, FILESTREAM is an
instance-level option
Disabled by default; sysadmins only can change
T bl FILESTREAM i T t
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
164/196
p. 164
To enable FILESTREAM using Transact-
SQL:
EXEC sp_configure filestreamaccess level
-- 0: disabled (default)-- 1: Transact-SQL access only
-- 2: Full access enabled (a.k.a.
-- T-SQL and streaming access
-- via Windows APIs)-- NOTE: Local disks only for now
T FILESTREAM f d b f ll
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
165/196
p. 165
To use FILESTREAM for a database, follow
these five steps:
1. Enable FILESTREAM for the instance
2. Add a FILESTREAM-enabled filegroup to the
database
3. Add one or more files to the new filegroup
4. Create your column and assign it the FILESTREAM
attribute5. Load your data!
O bl FILESTREAM t th i t
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
166/196
p. 166
Once you enable FILESTREAM at the instance
level, you must now:1. Create a new filegroup specifically for FILESTREAM
2. Add files to the filegroup
You can do this with CREATE DATABASE orALTER DATABASE
Enable FILESTREAM on a
Database
8/14/2019 Miscellaneous Administration Topics
167/196
p. 167
Enable FILESTREAM on a
Database
8/14/2019 Miscellaneous Administration Topics
168/196
p. 168
Enable FILESTREAM on a
Database
8/14/2019 Miscellaneous Administration Topics
169/196
p. 169
8/14/2019 Miscellaneous Administration Topics
170/196
To add FILESTREAM to an existing
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
171/196
p 171
To add FILESTREAM to an existing
database:
ALTER DATABASE [LearnItFirst.com]
ADD FILEGROUP FilestreamFG
CONTAINS FILESTREAM
GO
ALTER DATABASE [LearnItFirst.com]
ADD FILE(Name=File1,
FileName=F:\File1)TO FILEGROUP = FilestreamFG
8/14/2019 Miscellaneous Administration Topics
172/196
8/14/2019 Miscellaneous Administration Topics
173/196
8/14/2019 Miscellaneous Administration Topics
174/196
p 174
Chapter 8: Miscellaneous
Administration
174
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
175/196
p 175
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies Ma
nagem
ent Resource
Governor
Policy-BasedManagement
Powershell
FILESTREAM Snapshots
To use FILESTREAM for a database follow
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
176/196
p 176
To use FILESTREAM for a database, follow
these five steps:1. Enable FILESTREAM for the instance
2. Add a FILESTREAM-enabled filegroup to the
database
3. Add one or more files to the new filegroup
4. Create your column and assign it the FILESTREAM
attribute5. Load your data!
You can add FILESTREAM support to new tables
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
177/196
p 177
You can add FILESTREAM support to new tables
or existing tables Use ALTER TABLE to add to an existing table
USE [LearnItFirst.com]GOCREATE TABLE dbo.ClaimImage (
ClaimId INT NOT NULL PRIMARY KEY, TheImage VARBINARY(MAX) FILESTREAM NOT NULL, RowId UNIQUEIDENTIFIER NOT NULL
ROWGUIDCOL UNIQUE DEFAULT NEW_ID())
-- Tables with FILESTREAM data must have a-- non-null UNIQUEIDENTIFIER column
To use FILESTREAM for a database follow
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
178/196
p 178
To use FILESTREAM for a database, follow
these five steps:1. Enable FILESTREAM for the instance
2. Add a FILESTREAM-enabled filegroup to the
database
3. Add one or more files to the new filegroup
4. Create your column and assign it the FILESTREAM
attribute5. Load your data!
Writing/reading binary data is for
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
179/196
p 179
Writing/reading binary data is for
developers Requires accessing Win32 APIs
.NET is popular but can write Transact-SQL directly
INSERT dbo.ClaimImage (ClaimId, TheImage)
VALUES (1, 0x01)
DBAs needs to know about security and
FILESTREAM
8/14/2019 Miscellaneous Administration Topics
180/196
p 180
DBAs needs to know about security and
backup/recovery Security permissions are done inside SQL Server,
not on the file system
The physical files/folders are secured by SQLServer service account
Backup/restore will include all files
Best Practices for FILESTREAM
FILESTREAM Best Practices
8/14/2019 Miscellaneous Administration Topics
181/196
p 181
Best Practices for FILESTREAM
Do not make your ROWGUIDCOL a clustered index For best performance, FILESTREAM files should be on
separate physical volumes when possible
NEWSEQUENTIALID() will perform better than NEWID()when replicating databases
Read Paul Randalls column: http://learnitfirst.com/go.aspx?id=WBLX
Have your network admins (or whoever configures thephysical Windows Server 2008/2003 machine) read
the top part of this article: http://msdn.microsoft.com/library/dd206979.aspx
Final thoughts
FILESTREAM
http://learnitfirst.com/go.aspx?id=WBLXhttp://msdn.microsoft.com/library/dd206979.aspxhttp://msdn.microsoft.com/library/dd206979.aspxhttp://learnitfirst.com/go.aspx?id=WBLX8/14/2019 Miscellaneous Administration Topics
182/196
p 182
Final thoughts
Transact-SQLs DELETE statement causes the
physical file to be deleted
Physical file deletion is not performed until a
CHECKPOINT operation
Do not attempt to manage files via the file system
Cannot change names, attributes or delete files
There are other options
Search for SQL Server 2008 remote BLOB storage
8/14/2019 Miscellaneous Administration Topics
183/196
p 183
Chapter 8: Miscellaneous
Administration
183
Presented by Scott Whigham
What Were Going to Cover
8/14/2019 Miscellaneous Administration Topics
184/196
p 184
Overview Chapter
Introduction
Moving andCopying Databases
Dealing withOrphaned Users
CLR and .NETAssemblies Ma
nagem
ent Resource
Governor
Policy-BasedManagement
Powershell
FILESTREAM Snapshots
A database snapshot is a read-only
Database Snapshots
8/14/2019 Miscellaneous Administration Topics
185/196
p 185
A database snapshotis a read-only
copy of a database that stops at thepoint the snapshot is taken
Example: If you take a snapshot of the LearnItFirst
database at 0800, the snapshot would have theentire database yet would not reflect any changes
that occurred after 0800
8/14/2019 Miscellaneous Administration Topics
186/196
Database Snapshots
8/14/2019 Miscellaneous Administration Topics
187/196
p 187
-- At 0800, we execute:CREATE DATABASE LIFSnapshot_0800
ON(NAME=LearnItFirst
,FILENAME=D:\LIF_0800.ss)AS SNAPSHOT OF LearnItFirst
-- Logical file name must be
-- same as source. Also note-- that we do not define a log
8/14/2019 Miscellaneous Administration Topics
188/196
Reads against the snapshot:
Database Snapshots
8/14/2019 Miscellaneous Administration Topics
189/196
p 189
Reads against the snapshot:
Will use the source database if the data requested
has not changed since snapshot creation
Acquire SHARED locks at source to prevent blocking
Will return the snapshot copy if the data haschanged
This provides a at creation level of consistency to data
8/14/2019 Miscellaneous Administration Topics
190/196
Example restore:
Database Snapshots
8/14/2019 Miscellaneous Administration Topics
191/196
p 191
Example restore:
-- Only allowed if:
-- (1) there is only one snapshot
-- (2) all source db files exist
RESTORE DATABASE LearnItFirst
FROM DATABASE_SNAPSHOT =
LIFSnapshot_0800
Database snapshots use sparse files to
Database Snapshots
8/14/2019 Miscellaneous Administration Topics
192/196
p 192
atabase s aps ots use spa se f es to
minimize disk space Feature of NTFS that allows NTFS to allocate disk
space on an as needed basis
When you create a snapshot, database pages arenot copied to the snapshot
As pages become dirty, the original data page iscopied to database snapshot
When that happens, the sparse files size stays the sameyet the Size on disk increases
A 1.1GB database with a fresh snapshot
Database Snapshots
8/14/2019 Miscellaneous Administration Topics
193/196
p 193
A 1.1GB database with a fresh snapshot
8/14/2019 Miscellaneous Administration Topics
194/196
8/14/2019 Miscellaneous Administration Topics
195/196
Final thoughts
Database Snapshots
8/14/2019 Miscellaneous Administration Topics
196/196
g
Pros: Great way to provide users with a point-in-time view of
database
Snapshots are quick and easy to create thanks to sparse files
Cons: No way to create using SSMS graphical tools; T-SQL only
Cannot change user permissions for snapshot vs. source
A snapshot is a read-only copy of the source