Have you ever wanted to check, audit or even enforce a specific option or configuration in your environment? What if I tell you that you can accomplish all of these and even report on the results with just a few clicks? Interested? In this session you will learn about the "hidden power" of Policy-Based Management, Centralised Management Server and EPM Framework and how they can help you keep your environment healthy and under control!
5. Policy-Based Management is…
Way to define rules
SQL Server 2008/R2/2012/2014 Feature
Express Edition and higher
(in Express – Limited functionality)
Can be used against 2000 and 2005
… kind of
10. Microsoft – our Friend
C:Program Files (x86)Microsoft SQL Server110ToolsPolicies
11. Advanced policies
Script as a condition!
ExecuteSql(‘Numeric’,
‘SELECT COUNT(*) FROM sys.databases’)
ExecuteWql
('String', 'rootCIMV2',
'SELECT State
FROM Win32_Service
WHERE Name = "SQLAgent$SECOND"')
12. Centralized Management Server
(your time saver)
Introduced in SQL Server 2008
Available even in Express
Allows you to:
• Run scripts
• Evaluate policies
From one, centralized place…
20. PBM is all about managing your environments even better!
21. More resources:
Book: Apress Pro SQL Server 2008 PBM
Pluralsight Course: Auditing SQL Server with PBM
Whitepaper: http://tinyurl.com/7b2w2ug
Enterprise Policy Management Framework:
http://epmframework.codeplex.com/
Way to define rules and audit your environment.
Limited functionality – CMS, on-demand only (no Agent in Express)
No all facets are available for all versions. No all features are available in all version, so test!
In 2000 – no DDL triggers! On change prevent – does not work!
On change – log – only if an event is generated!
On prevent – only AFTER trigger! The example of index rebuild! The trigger fires after finished :D
On-change: prevent mode will fail or perform unexpectedly.
Now that’s all cool, but can it be even easier? YES, IT CAN! Because…
Microsoft
+ The whole community shares
But can I do even complex policies because the facets are cool, but not enough.
ExecuteWql(‘String’, ‘BRSHRISTOV\SECOND’, ‘SELECT State FROM Win32_Service WHERE Name = ’SQLAgent$SECOND’)
ExecuteSql(‘Numeric’, ‘SELECT COUNT(*) FROM sys.databases’)
PolicyAdministratorRole in MSDB - can edit all - so stop it!!!
##MS_PolicyTsqlExecutionLogin## - used when you schedule a policy that executes ExecuteSQL(). You need to give this login the needed permissions.
All permissions you give to this login though are actually given to everyone in the PolicyAdministrator role too, so be careful!##MS_PolicyEventProcessing## - used internally by the service broker – do not do anything with it.
So after executing those policies, you may think. OK, but what if I want to be informed when something is wrong!
Execution mode
Message number
On change: prevent
(if automatic) 34050
On change: prevent (if On demand) 34051
On schedule 34052
On change 34053
And every single thing that you do is actually stored in msdb, so be careful with it. Backup it and make sure you can restore those backups.Everything is stored procedures. You cannot even rename your policies without running a stored proc and there are number of views you can use to find useful information.