8 steps to moving database users from SQL 2005 to SQL 2008

Posted on January 24, 2012 by johnsterrett| Leave a comment
Have you ever had to complete an upgrade where you had to uninstall SQL Server 2005 and install SQL Server 2008 on the same box? If so, how do you make sure the new install had the same security objects?  For me, the answer was lets be safe instead of being sorry.  I would script out all the existing server and database security objects so they could be verified and implemented if needed.

Not only is this a good practice for migrating your servers but the following post could be useful for a security audit.   I also want to mention if you are allowed to install tools on the box you can download SQLPermissions its a free tool provided by Idera to generate a script to move security objects during a migration.
** Run scripts at your own risk. I don’t assume any responsibility for these scripts on being ran in your environment. As always, I recommend testing in development before running in production :-) **

Logins

The very first step to connecting to an instant of SQL Server is to connect or login. In order to connect you must have a login. Therefore, our first step will be to actually copy the logins. I know, you might already be wondering how do I get the passwords moved over for SQL authenticated logins? Microsoft has a KB article (918922) that walks you through this process. Make sure you checkout the remarks section before running the code on a production box.

Server Level Security

Logins are nice but actually useless unless they have access to connect. Therefore, we might want to allow these logins to connect. You might also want to make sure a subset of the accounts  have access to view the DMV’s. This and other server level permissions can be scripted out with the following code below.


SELECT	sp.state_desc,
	sp.permission_name,
	principal_name = QUOTENAME(spl.name),
spl.type_desc,
	sp.state_desc + N' ' + sp.permission_name + N' TO ' + cast(QUOTENAME(spl.name COLLATE DATABASE_DEFAULT) as nvarchar(256)) AS "T-SQL Script"
FROM sys.server_permissions sp
inner join sys.server_principals spl on (sp.grantee_principal_id = spl.principal_id)
where spl.name not like '##%' -- skip PBM accounts
and spl.name not in ('dbo', 'sa', 'public')
order by sp.permission_name, spl.name

Server Level Roles

Now that we can login we might want to take this to the next step. We may actually like to perform some actions. Well, if your instance includes third party application databases there could be a good chance that it depends on its login having sysadmin access. Yes, in case you were wondering this is poor security design but the point is your logins may depend on server level roles to have access to the database objects.  Here is a script you can use to script out server level roles.

SELECT  DISTINCT
QUOTENAME(sp.name) AS "ServerRoleName",
sp.type_desc AS "RoleDescription",
QUOTENAME(m.name) AS "PrincipalName",
m.type_desc AS "LoginDescription",
'EXEC master..sp_addsrvrolemember @loginame = N''' + m.name + ''', @rolename = N''' + sp.name + '''' AS "T-SQL Script"
FROM sys.server_role_members AS srm
inner join sys.server_principals sp on (srm.role_principal_id = sp.principal_id)
inner join sys.server_principals m on (srm.member_principal_id = m.principal_id)
where sp.is_disabled = 0
and m.is_disabled = 0
and m.name not in ('dbo', 'sa', 'public')
and m.name <> 'NT AUTHORITY\SYSTEM'

Database Level Security

Now that your logins can connect you need to make sure that they can connect to the databases you migrated over.  Remember those third party apps that skipped the process of doing a  security design?  They will use sysadmin access so database level security will be included.  Hopefully, your applications are not one of those. Just like server level security you can also have database level security. Make sure you run the script below and save your results.


SELECT  dp.state_desc,
dp.permission_name,
QUOTENAME(dpl.name)  AS 'principal_name',
 dpl.type_desc,
 dp.state_desc + N' ' + dp.permission_name + N' TO ' + cast(QUOTENAME(dpl.name COLLATE DATABASE_DEFAULT) as nvarchar(500))  AS "T-SQL Script"
FROM sys.database_permissions AS dp
INNER JOIN sys.database_principals AS dpl ON (dp.grantee_principal_id = dpl.principal_id)
WHERE dp.major_id = 0
and dpl.name not like '##%' -- excluds PBM accounts
and dpl.name not in ('dbo', 'sa', 'public')
ORDER BY dp.permission_name ASC, dp.state_desc ASC

Database Level Roles

Just like the SQL Server instance your database also has roles.  Many times I will see applications that don’t require sysadmin on the instance but do require db_owner access in the database.   This is also a bad security design practice as db_owner can do anything against that database. Hopefully, your application has object level explicit permissions as needed. Once again, I would recommend pulling this information in case its needed after your migration.


SELECT DISTINCT
QUOTENAME(drole.name) as "DatabaseRoleName",
drole.type_desc,
QUOTENAME(dp.name) as "PrincipalName",
dp.type_desc,
'EXEC sp_addrolemember @membername = N''' + dp.name COLLATE DATABASE_DEFAULT + ''', @rolename = N''' + drole.name + '''' AS "T-SQL Script"
FROM sys.database_role_members AS drm
inner join sys.database_principals drole on (drm.role_principal_id = drole.principal_id)
inner join sys.database_principals dp on (drm.member_principal_id = dp.principal_id)
where dp.name not in ('dbo', 'sa', 'public')

Database Level Explicit Permissions

Finally, we will get to the area of security where I hope to see many entries. If someone, tasked me with designing their the security model for their application I would make sure stored procedures controlled the data access and that application users could only execute the stored procedures. This way there would be very minimal risk of data loss as the users wouldn’t have direct access to the tables. They would only access data needed by the business logic provided in the database objects. You can pull this information from the code below.


SELECT dp.state_desc AS "StateDescription",
dp.permission_name AS "PermissionName",   	QUOTENAME(USER_NAME(obj.schema_id)) + '.' + QUOTENAME(obj.name) + CASE WHEN col.column_id IS NULL THEN SPACE(0) ELSE '(' + QUOTENAME(col.name COLLATE DATABASE_DEFAULT) + ')' END AS "ObjectName",
 QUOTENAME(dpl.name COLLATE database_default) AS "UserName",	dpl.type_Desc AS "UserRoleType",
obj.type_desc AS "ObjectType",
 dp.state_desc + N' ' + dp.permission_name + N' ON ' + QUOTENAME(USER_NAME(obj.schema_id)) + '.' + QUOTENAME(obj.name) + N' TO ' + QUOTENAME(dpl.name COLLATE database_default) AS "T-SQL Script"
FROM sys.database_permissions AS dp
INNER JOIN sys.objects AS obj ON (dp.major_id = obj.[object_id])
INNER JOIN sys.database_principals AS dpl ON (dp.grantee_principal_id = dpl.principal_id)
LEFT JOIN sys.columns AS col ON (col.column_id = dp.minor_id AND col.[object_id] = dp.major_id)
where obj.name not like 'dt%'
and obj.is_ms_shipped = 0
and dpl.name not in ('dbo', 'sa', 'public')
ORDER BY dp.permission_name ASC, dp.state_desc ASC

Orphaned users

If logins are not brought over correctly you may notice that they are not mapped correctly with the user account that exists in the database security (Logins section above should catch this).  The following is an explination that comes from BOL.

A database user for which the corresponding SQL Server login is undefined or is incorrectly defined on a server instance cannot log in to the instance. Such a user is said to be anorphaned user of the database on that server instance.

You can find and fix orphaned users by following the instructions provided here.

Validate User Accounts

Finally, yes when possible lets make sure the user accounts work.  I know this might be common sense but you don’t want to cut something over with out testing and verifying connectivity.

→ Leave a comment

Posted in SQL Server 2008

Tagged , , , , , ,

Speaking at the Columbus SQL Server User Group

Posted on January 11, 2012 by johnsterrett| Leave a comment

This week on Thursday, January 12th, 2011 a 6pm I will be speaking virtually at the Columbus, OH SQL Server User Group.  I will be giving an introduction to Policy Based Management.

If you are a chapter leader and would be interested in having me speak at your user group contact me.

Abstract

This talk will give you an introduction into monitoring SQL Server using Policy Based Management and Central Management System which is provided out of the box with SQL Server 2008. I will then show you how you can combine these features with the Enterprise Policy Management Framework on codeplex to provide monitoring for your whole SQL Server farm. This topic assumes you know nothing about PBM and CMS and will include lots of examples with only a few PowerPoint slides.

→ Leave a comment

Posted in Events, SQLServerPedia Syndication

Tagged , , , , ,

Top 4 ways I will contribute to the SQL Community in 2012

Posted on January 10, 2012 by johnsterrett| 2 Comments

One of my friends, Tom LaRock asked, “What do you want to do for your #sqlfamily in 2012?” Below is how I plan contribute to the SQL Community, and my #sqlfamily in 2012.

  • Bring  SQL Saturday to a new city
    Anyone who knows me in the community knows I am a huge fan sucker for a SQL Saturday. I have had the pleasure of being a host, attende, and a speaker. This year I am looking forward to being a volunteer and sharing all my knoweledge to bring a SQL Saturday to a new city.  With that said, there is a city very close to me that has never hosted one.  The ball is already rolling and I look forward to helping this chapter host their first SQL Saturday in 2012.
  • Help Chapter Leaders
    Being a chapter leader I personally know it can be hard running a user group. I was very lucky and thankful to get a lot of help.  I look forward to helping other chapter leaders who can use a hand. I am willing to help connect leaders to a sponsors; help leaders find swag, find books, find a speaker or anyting else. I am game and looking forward to helping.
  • Give Virtual Presentations
    Typically I do at least four presentations a year.  To this point I have never done a virtual presentation. This will change shortly as I am speaking  at the Columbus User Group virtually this week.
  • Mentor
    I have been blessed with having good mentors in my career. Without them I wouldn’t be where I am today. There advice and guidence has been very valuable.  I reciently started mentoring a DBA but would more than willing to help others out. If you would be interested please shoot me an message.

→ 2 Comments

Posted in meme monday, SQLServerPedia Syndication

Tagged , , , ,

2011 was a crazy year!

Posted on December 29, 2011 by johnsterrett| 1 Comment

Now that we are finishing up the last few days of the year its time to take a few minutes and reflect on my accomplishments for the year. To be honest, looking back at the blog posts I have no idea how I completed so many mile stones.  Last year I privately established some long term goals and I knocked several items off my three year and five year plan in the first year.

Major Accomplishments in 2011

PASS Member Summit 2011 Ribbons

Vendor said, "Wow... it looks like you had a very big year. Would you like to attend our vendor party?"

My first child was born in February.  Typically having a child would slow you down but somehow I still completed several milestones. I have to give huge props to my wife for all her help and support.

This year I gave presentations at the first SQL Rally; the SQL PASS Member Summit; SQL Saturday in Houston, TX (presented multiple sessions); the Pittsburgh SQL User Group and several session at the West Virginia SQL Server User Group.

One of my good friends and I co-founded the first SQL Server User Group in West Virginia. I also helped relaunch the Pittsburgh SQL Server User Group and was truly honored to  speak at the relaunch event. I also organized the 2nd  Annual SQL Saturday in Wheeling, WV. Its was truly an honor to bring my peers and friends to my hometown for some free SQL Training (photos). Towards the end of the year I also became a PASS Regional Mentor for the Mid-Atlantic Region.

Personally, I also had the following accomplishments.  I was included in a local

Reading with my baby

It's never to early to get started on your professional development.

magazine article on “Digital Generation.” Finally, I changed jobs and became a SQL Server Consultant.  I am truly blessed to say that many of these milestones couldn’t happen without my #sqlfamily and  my tech giants mentors .

My 11 Favorite Blog Posts in 2011

The following are my favorite blog posts and tips written by me in 2011.

I look forward to sharing some goals next week as we break in the new year!


→ 1 Comment

Posted in SQL Server 2008, SQLServerPedia Syndication

Tagged , , , , ,

PASS Member Summit 2011 Speaker Evaluations

Posted on December 19, 2011 by johnsterrett| Leave a comment

Session evaluations from the 2011 PASS Summit have been officially released to speakers. I am proud to share my feedback as it gives me room for improvement. I look forward to making it back in 2012.

The evaluation format is as follows. Each question is rated on a scale of 1-5 (1 = Very Poor, 2 = Poor, 3 = Average, 4 = Good, 5 = Excellent) with room for additional comments if the attendee  felt compelled to add more information about why they gave a particular score.

Here’s how I fared:

Topic: Evaluate your Daily Checklist Against 100+ instances of SQL Server while you get a cup of coffee
Attendance: 138
Total Responses: 68
Average Rating: 4.4 out of 5.0

How would you rate the Speaker’s presentation skills? 4.19

  • very good clear speaker good pacing
  • it seemed like he did a lot of reading from the notes. he’s off to a good start though
  • alittle more zoomit. overall very good & easy to follow
  • He seemed pretty nervous, but he soldiered on.
    He also used ZOOMIT when appropriate and diligently repeated the questions for the recording.
  • good use of demos

How would you rate the Speaker’s knowledge of the subject? 4.51

  • great command of content
  • sounds like he has set PBM/CMS up a few times at least…knows the stuff
  • Another 10-15 minutes would have allowed for a little deeper explanation/understanding of the material, but it’s Friday and my brain is almost completely fried. (You have to love the honesty in this one! )

How would you rate the accuracy of the session title, description and experience level to the actual session? 4.49

  • I didn’t see any incorrect information
  • can’t wait to suss out some of the code snippets
  • demos clearly showed topic & idea

How would you rate the quality of the presentation materials? 4.35

  • demos clearly showed topic & idea
  • too simple…i would rather go over good primalry mangt. the tool i can learn myself..maybe less demo more presentation
  • wish we had more time on this subject
  • can’t wait to suss out some of the code snippets

Did you learn what you expected to learn? 4.47

  • thank you for the kick start into cms
  • i had no idea what PBM was now i know and want to apply it.
  • currently only rely on failure emails…no know of a better way
  • demos clearly showed topic & idea

What will you take away from this session?

  • Some good stuff. I’ll be beefing up my PBM when I get back.
  • Great info!!
  • I will be implementing what we learned
  • Implement PBM and CMS
  • hoping to implement some checklists on our newly built comps and streamline our “care and feeding” process
  • go back to office and try it out
  • make a list, check it, automate, central management, server
    policy based management
  • impliment idea. a way to automate checklist & protect my environment practically
  • cant wait to try!
  • how to use PBM & CMS. great session!!
  • a daily checklist can be automated and easily analyzed with a few simple tools

What would you change to improve the overall quality of this session?

  • Provide handouts
  • Presenter could have managed off topic questions from audience better.
  • speaker peppered with quite a few “in the weeds” questions, but managed them well.
  • could use alitte humor
  • change this to a 300 level based
    leave questions until end too many people aske the same questions over again, over something that was covered

Conclusion:
I think I did a good job for presenting my first full session at the PASS Member Summit.  Several people mentioned in the comments that they were going to try PBM and CMS.  This completed my mission for giving the presentation.  I also received some great feedback that I will implement to make my presentation better. I think this was a great experience for me and I look forward to doing it again next year if I get selected.

→ Leave a comment

Posted in SQL Server 2008, SQLServerPedia Syndication

T-SQL Tuesday: What’s Currently Running?

Posted on December 13, 2011 by johnsterrett| 3 Comments

My good friend Allen White is hosting this months installment of #TSQL2sDay so I am motivated to jump in. #TSQL2sDay is the creation of Adam Machanic. The concept is simple, about a week before the second Tuesday of the month a theme will be posted.  Any blogger that wishes to participate is invited to write a post on the chosen topic and any post that is related to both SQL Server and the theme is fair game.The challenge for this month’s T-SQL Tuesday is: What T-SQL tricks do you use today to make your job easier?

What’s Currently Running?

One of my favorite tricks is actually just a little script I have in my toolbox to find out what queries are currently running right now. In fact I have had quite a few people ask me the for this script so I am glad to share it in this blog post.  With SQL Server 2005 and above  SQL Server provides Database Management Views that give you direct access to executing requests and running process. The following query uses sys.dm_exec_request, sys.sysprocesses. We will also use cross apply to get the query text from sys.dm_exec_sql_text and the execution plan from sys.dm_exec_query_plan.

The Good Stuff…

{UPDATE: 1/1/2012 – Replaced sysprocesses with sys.dm_exec_sessions as recommended by Phil in the comments}


SELECT [Spid] = sp.session_Id    ,
er.request_id,--ecid    ,
er.command,
[Database] = DB_NAME(er.database_id)    ,
[User] = login_name    ,
er.blocking_session_id,
[Status] = er.status    ,
[Wait] = wait_type    ,
[Individual Query] = SUBSTRING (qt.text, er.statement_start_offset/2,
(CASE WHEN er.statement_end_offset = -1      THEN LEN(CONVERT(NVARCHAR(MAX), qt.text)) * 2
ELSE er.statement_end_offset END - er.statement_start_offset)/2),
[Parent Query] = qt.text    ,
p.query_plan,
er.cpu_time, er.reads, er.writes, er.Logical_reads, er.row_count, Program = program_name,
Host_name    ,
start_time
FROM sys.dm_exec_requests er
INNER JOIN sys.dm_exec_sessions sp ON er.session_id = sp.session_id
CROSS APPLY sys.dm_exec_sql_text(er.sql_handle)as qt
cross apply sys.dm_exec_query_plan(er.plan_handle) p
WHERE sp.session_Id > 50-- Ignore system spids.
AND sp.session_Id NOT IN (@@SPID)
 ORDER BY 1, 2

→ 3 Comments

Posted in Scripts, SQLServerPedia Syndication

Tagged ,

PowerShell User Group starts in Pittsburgh!

Posted on December 12, 2011 by johnsterrett| Leave a comment

Recently, it has come to my attention that there is a PowerShell User Group being born in Pittsburgh.  The first user group meeting is December, 13th and  Ed Wilson also known as TheScriptingGuy will be their first presenter.   There are still a few seats available. If you are interested in developing scripts to automate processes I recommend you follow this user group.

→ Leave a comment

Posted in IT Pro

Tagged ,

This years Christmas wish list for Microsoft

Posted on December 5, 2011 by johnsterrett| Leave a comment

Once again its the first Monday of the month. This means its time for another #mememondy presented by Thomas LaRock . This months topic is what gift do you want Microsoft to leave for you under the tree this year? For this post I am going to list two items I would love to see in SQL Server 2012.

  1. Distributed Replay to be easy to configure, work as advertised and include the great reporting features I am used to seeing with RML Utilities.  Currently, I don’t see much for reporting with Distributed Replay in BOL.  No, need to convert SQL Traces multiple times.
  2. AlwaysOn to be included in SQL Server 2012  Standard Edition. Yes, I know this is a long shot but hey its my Christmas list :-)

→ Leave a comment

Posted in meme monday, SQLServerPedia Syndication

Share your local drives with a Remote Desktop Connection

Posted on November 22, 2011 by johnsterrett| 3 Comments

Have you ever wished there was a way to share your local drive with an Remote Desktop Connection? I have, especially when a client doesn’t have a test box.  For example, lets say I need to do a perfmon trace for performance tuning.  I would usually use the PAL Tool to generate a perfmon template and copy it from my machine to the server to configure the trace.  Once the perfmon collection is finished I would want to copy the template back down to my individual machine to generate the PAL reports.

This lead me to do some research and I found an easy solution that works.  Hopefully, this tip helps you out in the future.

Time For The Good Stuff…

Load your Remote Desktop Connection tool and enter in your computer name for the server.  For this example I am going to keep the computer name and user name blank.  Now click on the options button in the lower right corner of the RDC screen.

Remote Desktop Connection initial screen

Type in your computer name and user name for your Remote Desktop Connection.  Once your computer name and user name are entered click on the local resources tab.

Share local drive with Remote Desktop Connection

Now that we are on the local resources tab click on the “More” button shown at the bottom left corner of the screen.

Share local drive with Remote Desktop Connection

Select the local drives you would like to share with your Remote Desktop Connection. In this example I am only going to share my C drive.

The following screen shot will show you that I am sharing my local C drive on the Remote Desktop Connection.

→ 3 Comments

Posted in IT Pro

WVPASS – Performance Tuning for Pirates!

Posted on November 16, 2011 by johnsterrett| Leave a comment

If you are in the Pittsburgh, PA area take a trip down to Wheeling, WV this Thursday to catch me at the WVPASS SQL Server User Group.  Registration is free and there  are a few free seats available.  I will be breaking out a brand new presentation titled “Performance Tuning for Pirates.”

Abstract

If you follow baseball you will notice that my favorite team the Pittsburgh Pirates has to do more with less to be successful. Working as a consultant, I have also noticed this trend with several IT shops. If you need to improve the performance of SQL Server and cannot purchase 3rd party tools this session is for you.  I will help improve your performance tuning process while using several free tools. Through this presentation we will go over wait stats, dynamic management objects, perfmon, PAL, SQL Trace, ClearTrace, SQL Nexus and  SQLDiag.

→ Leave a comment

Posted in Professional Development, SQLServerPedia Syndication