MS SQL Server 2008, Implementation and Maintenance


Published on

MCTS EXAM 70-432

Published in: Technology
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Make a conclusion of the presentation. Review goals, see if we have meet them. Review presentation materials, and highlight most important things. Seek for a feedback.
  • MS SQL Server 2008, Implementation and Maintenance

    1. 1. MS SQL SERVER 2008 – Implementation and maintenance<br />MCTS EXAM 70-432<br />© The Norns Laboratories, 2009<br />
    2. 2. Introductory class<br />30 minutes<br />© The Norns Laboratories, 2009<br />
    3. 3. Agenda<br />Introduction of the instructor<br />Introduction of the participants<br />Review course schedule, and exam requirements<br />Q & A<br />© The Norns Laboratories, 2009<br />
    4. 4. About the instructor<br />© The Norns Laboratories, 2009<br />VitaliyFursov, MSc, PMP, CSPO<br /> An experienced software developer, architect, and project manager with a record of major accomplishments directing the delivery of software development projects of a various sizes and complexity.  Extensive experience in designing, implementing, and supporting data management solutions for major players in financial industry, transportation, retail, telecom, and government. Recognized and recruited to guide development projects by companies like IBM Global Services to design Loan Origination Systems and Online Banking Systems for US largest banks in 2002-2005. Designed most complex retail management solution currently used by major US universities and colleges to operate campus retail units, such as bookstores, computer stores, campus transportation systems, food courts, etc. Recently consulted US government agency on a project of developing video portal designed to serve up to 10 million users. Extensive experience leading project teams, introducing PMO to the R&D organizations, and reduced cost of development. Long term Agile methods practitioner, Certified Scrum Product Owner, PMP designation holder.<br /> Experienced mentor, coach, trainer in several technical disciplines, professional public speaker. Volunteer at number of international organizations, such as PMI, Agile Alliance, Scrum Alliance, Toastmasters. <br /> After business hours, father of 3 kids, farmer, writer, poet, jazz music composer. <br />
    5. 5. Introduction of participants<br />Your name<br />What do I know about SQL Server<br />What do I want to know about SQL Server<br />What do I enjoy doing at work<br />What do I enjoy doing outside of my work<br />© The Norns Laboratories, 2009<br />
    6. 6. Course Schedule<br />© The Norns Laboratories, 2009<br />
    7. 7. Exam stats<br />Time: 180 minutes, 61 question spread over 6 testlets (cases), passing score 700 points, only multiple choice questions, no simulations. <br />About 3 minutes per question grouped per testlet. <br />9 question testlet shall be completed at around 27 minutes.<br />Time left on one testlet is not added to the next. <br />The 180 minutes should be regarded as an indication for the maximum exam length.<br />© The Norns Laboratories, 2009<br />
    8. 8. Q&A<br />© The Norns Laboratories, 2009<br />
    9. 9. Installing and Configuring SQL Server 2008<br />2.5 hours<br />© The Norns Laboratories, 2009<br />
    10. 10. Agenda<br />Determining Hardware and Software Requirements<br />Selecting SQL Server Editions<br />Installing and Configuring SQL Server Instances<br />Configuring Database Mail (self-study)<br />Practicing Exam Questions<br />© The Norns Laboratories, 2009<br />
    11. 11. Hardware and Software requirements<br />© The Norns Laboratories, 2009<br />
    12. 12. SQL Server Editions<br />Enterprise<br />Standard<br />Workgroup<br />Express<br />Compact<br />Developer<br />Evaluation<br />© The Norns Laboratories, 2009<br />
    13. 13. Installing SQL Server<br />Understanding Collation Modes<br />Understanding Authentication Models<br />Understanding SQL Server Instance concept<br />Multiple Instances, Default Instance, Named Instances<br />SQL Server Configuration Manager<br />Installing Sample Database<br />© The Norns Laboratories, 2009<br />
    14. 14. SQL Server Configuration Manager<br />Starting, stopping, pausing, and restarting a service<br />Changing service accounts and service account passwords<br />Managing the start-up mode of a service<br />Configuring service start-up parameters<br /> After you have completed the initial installation and configuration of your SQL Server services, the primary action that you will perform within SQL Server Configuration Manager is to change service account passwords periodically. <br /> When changing service account passwords, you no longer have to restart the SQL Server instance for the new credential settings to take effect.<br />© The Norns Laboratories, 2009<br />
    15. 15. Database Mail<br />Database Mail provides a notification capability to SQL Server instances.<br /> Database Mail uses the Simple Mail Transfer Protocol (SMTP) relay service that is available on all Windows machines to transmit mail messages. When a mail send is initiated, the message along with all of the message properties is logged into a table in the MSDB database. On a periodic basis, a background task that is managed by SQL Server Agent executes. When the mail send process executes, all messages within the send queue that have not yet been forwarded are picked up and sent using the appropriate mail profile.<br />If SQL Server Agent is not running, messages will accumulate in a queue within the MSDB database.<br />© The Norns Laboratories, 2009<br />
    16. 16. Configuring Database Mail<br />© The Norns Laboratories, 2009<br />1. To enable Database Mail feature:<br />EXEC sp_configure 'Database Mail XPs',1<br />GO<br />RECONFIGURE WITH OVERRIDE<br />GO<br />2. Configure Database Mail under the Management node of the SQL Server instance.<br />3. Click Next on the Welcome screen.<br />4. Select Set Up Database Mail By Performing The Following Tasks and click Next.<br />5. Specify a name for your profile and click the Add button to specify settings for a mail<br />account.<br />6. Fill in the Account Name, E-mail Address, Display Name, Reply E-mail, and Server<br />Name fields.<br />7. Select the appropriate SMTP Authentication mode for your organization and, if using<br />Basic authentication, specify the username and password. <br />
    17. 17. Database Mail Profiles<br />Public profile – can be accessed by any user with the ability to send mail.<br />Private profile – can be accessed only by those users who have been granted access to the mail profile explicitly.<br />Any mail profile could be designated as the default. When sending mail, if a mail profile is not specified, SQL Server uses the mail profile designated as the default to send the message.<br />© The Norns Laboratories, 2009<br />
    18. 18. Practice Test, Review and Questions<br />10 questions, lesson 1, time 20 minutes<br />© The Norns Laboratories, 2009<br />
    19. 19. Test settings<br />© The Norns Laboratories, 2009<br />
    20. 20. Database Configuration and Maintenance<br />2 hours<br />© The Norns Laboratories, 2009<br />
    21. 21. Agenda<br />Files and Filegroups<br />Manipulating objects between filegroups<br />Transaction Logs<br />FILESTREAM Data<br />tempdb Database<br />Creating Database<br />Database Recovery Models<br />Database Auto Options<br />Change Tracking<br />Access <br />Parameterization<br />Collations Sequences<br />Database Integrity Checks<br />© The Norns Laboratories, 2009<br />
    22. 22. Files and Filegroups<br />.mdf, .ndf, .ldf – default file extensions<br />Filegroupsscehmas:<br />Option 1<br />Data filegroup<br />Index filegroup<br />Option 2<br />Read only tables filegroup<br />Read-write tables filegroup<br />Index filegroup<br />Option 3<br />Read only tables filegroup<br />Read-write tables filegroup<br />Index filegroug<br />Key table 1 filegroup<br />Key table 2 filegroup<br />Key table 3 filegroup<br />Based on your application, filegroups can be created to resolve IO performance problems by spreading the database over additional spindles alleviating disk queuing.<br />© The Norns Laboratories, 2009<br />
    23. 23. How to create a new filegroups?<br /> USE CustomerDB_OLD;GOALTER DATABASE CustomerDB_OLDADD FILEGROUP FG_ReadOnlyGO<br />© The Norns Laboratories, 2009<br />
    24. 24. How to add files to a filegroup?<br />ALTER DATABASE CustomerDB_OLD<br />ADD FILE <br />( <br />NAME = FG_READONLY1,<br />FILENAME = 'C:CustDB_RO.ndf',<br />SIZE = 5MB,<br />MAXSIZE = 100MB,<br />FILEGROWTH = 5MB<br />) TO FILEGROUP FG_READONLY;<br />GO<br />© The Norns Laboratories, 2009<br />
    25. 25. How to create objects in the new filegroup? <br />-- Table<br />CREATE TABLE dbo.OrdersDetail<br />(<br />OrderIDint NOT NULL,<br />ProductIDint NOT NULL,<br />CustomerIDint NOT NULL, <br />UnitPrice money NOT NULL,<br />OrderQtysmallint NOT NULL<br />)<br />ON FG_READONLY<br />-- Index<br />CREATE INDEX IDX_OrderID ON dbo.OrdersDetail(OrderID) ON FG_READONLY<br />GO<br />© The Norns Laboratories, 2009<br />
    26. 26. How to move an object from the primary file group to another file group?<br />To move an existing table with a clustered index, issue the following command:<br />-- Table - The base table is stored with the<br />-- clustered index, so moving the clustered <br />-- index moves the base tableCREATE CLUSTERED INDEX IDX_ProductID ON dbo.OrdersDetail(ProductID) ON FG_ReadOnlyGO<br />To move a non-clustered index, issue the following command:<br />-- Non-clustered indexCREATE INDEX IDX_OrderID ON dbo.OrdersDetail(OrderID) WITH (DROP_EXISTING = ON)ON FG_ReadOnlyGO<br />If the table does not have a clustered index and needs to be moved, then create the clustered index on the<br />table specifying the new file group. This process will move the base table and clustered index to the new file<br />group. Then the clustered index can be dropped.  Reference these commands:<br />-- Table without a clustered index + drop indexCREATE CLUSTERED INDEX IDX_ProductID ON dbo.OrdersDetail(ProductID) ON FG_ReadOnlyGO DROP INDEX IDX_ProductID ON dbo.OrdersDetail(ProductID)GO<br />© The Norns Laboratories, 2009<br />
    27. 27. How to determine which objects exist in a particular filegroup?<br />SELECT o.[name], o.[type], i.[name], i.[index_id], f.[name]FROM sys.indexesiINNER JOIN sys.filegroups fON i.data_space_id = f.data_space_idINNER JOIN sys.all_objects oON i.[object_id] = o.[object_id]WHERE i.data_space_id = 2 --* New FileGroup*GO<br />© The Norns Laboratories, 2009<br />
    28. 28. Transaction Logs<br />© The Norns Laboratories, 2009<br />ACID (atomicity, consistency, isolation, durability) is a set of properties that guarantee that database transactions are processed reliably. In the context of databases, a single logical operation on the data is called a transaction. An example of a transaction is a transfer of funds from one bank account to another, even though it might consist of multiple individual operations (such as debiting one account and crediting another).<br />A Transaction Log is a history of actions executed by a database management system to guarantee ACID properties over crashes or hardware failures. Physically, a log is a file of updates done to the database, stored in stable storage.<br />
    29. 29. FILESTREAM data<br />FILESTREAM feature associates files with a database. The files are stored in a folder on the operating system, but are linked directly into a database where the files can be backed up, restored, full-text-indexed, and combined with other structured data.<br />To store FILESTREAM data within a database, you need to specify where the data will be stored. You define the location for FILESTREAM data in a database by designating a filegroup within the database to be used for storage with the CONTAINS FILESTREAM property. <br />© The Norns Laboratories, 2009<br /><ul><li>After the FILESTREAM folder has been created, a filestream.hdr file is created in the folder, which is a system file used to manage the files subsequently written to the folder.</li></li></ul><li>tempdbDatabase<br />The tempdb system database is a global resource that is available to all users connected to the instance of SQL Server and is used to hold the following:<br />© The Norns Laboratories, 2009<br /><ul><li>global or local temporary tables, temporary stored procedures, table variables, or cursors;
    30. 30. work tables to store intermediate results for spools or sorting; 
    31. 31. Row versions that are generated by data modification transactions in a database that uses read-committed using row versioning isolation or snapshot isolation transactions;
    32. 32. Row versions that are generated by data modification transactions for features, such as: online index operations, Multiple Active Result Sets (MARS), and AFTER triggers.
    33. 33. Operations within tempdb are minimally logged.
    34. 34. tempdb is re-created every time SQL Server is started.
    35. 35. There is never anything in tempdb to be saved from one session of SQL Server to another.
    36. 36. Backup and restore operations are not allowed on tempdb.</li></li></ul><li>What disks should tempdb reside on?<br />The major cause of the slowdown in the workload is usually the location of the tempdb on a slower device.<br />SQL Server uses tempdb to store intermediate results as part of executing a query, i.e. to create a hash table or to sort as a result of order by.<br />Measure the IO bandwidth needed to meet the demands of the workload. Consider the following:<br />create tempdb on its own spindles<br />use RAM Disk to achieve better performance<br /><br />© The Norns Laboratories, 2009<br />
    37. 37. What should be the size of tempdb?<br />The best way to estimate the size of tempdb is by running your workload in a test environment.<br />Use ALTER DATABASE command to set its size with a safety factor  that you feel is appropriate. <br />Never allow auto-grow for tempdb. <br />Auto-grow causes a pause during processing when you can least afford it<br />Less of an issue with instant file initialization<br />Auto-grow leads to physical fragmentation<br />Remember that tempdb is created every time you restart a SQL Server but its size is set to either default of Model database or the size you had set using ALTER DATABASE command (the recommended option)<br />© The Norns Laboratories, 2009<br />
    38. 38. 1 file vs. multiple files for tempdb<br />Spread TempDB across at least as many equal sized files as there are COREs or CPUs. Since allocation in SQL Server is done using proportional fill, the allocation will be evenly distributed and so is the access/manipulation of the allocation structures across all files. <br />Note, you can always have more files than COREs but you may not see much improvement.<br />© The Norns Laboratories, 2009<br />
    39. 39. Creating Database<br />Execute the following code to create a database:<br />CREATE DATABASE TK432 ON PRIMARY<br />( NAME = N'TK432_Data', FILENAME = N'c: estTK432.mdf' ,<br />SIZE = 8MB , MAXSIZE = UNLIMITED, FILEGROWTH = 16MB ),<br />FILEGROUP FG1<br />( NAME = N'TK432_Data2', FILENAME = N'c: estTK432.ndf' ,<br />SIZE = 8MB , MAXSIZE = UNLIMITED, FILEGROWTH = 16MB ), FILEGROUP Documents CONTAINS FILESTREAM DEFAULT<br />( NAME = N'Documents', FILENAME = N'c: estTK432Documents' )<br />LOG ON<br />( NAME = N'TK432_Log', FILENAME = N'c: estTK432.ldf' ,<br />SIZE = 8MB , MAXSIZE = 2048GB , FILEGROWTH = 16MB )<br />GO<br />Execute the following code to change the default filegroup:<br />ALTER DATABASE TK432<br />MODIFY FILEGROUP FG1<br />DEFAULT<br />GO<br />© The Norns Laboratories, 2009<br />
    40. 40. Database Recovery Models<br />ALTER DATABASE database_name<br />SET RECOVERY { FULL | BULK_LOGGED | SIMPLE }<br />You need to know which types of backups are possible for each recovery model.<br />© The Norns Laboratories, 2009<br />
    41. 41. Auto Options<br />AUTO_CLOSE<br />AUTO_SHRINK<br />AUTO_CREATE_STATISTICS<br />AUTO_UPDATE_STATISTICS<br />AUTO_UPDATE_STATISTICS_ASYNCH<br />© The Norns Laboratories, 2009<br />
    42. 42. Change Tracking<br />New to SQL Server 2008 version – versioning of each changed row in a table. <br />CHANGE_RETENTION <br />AUTO_CLEANUP<br />© The Norns Laboratories, 2009<br />
    43. 43. Access<br />Database status modes:<br />ONLINE<br />READ_ONLY / READ_WRITE<br />SINGLE_USER / RESTRICTED_USER / MULTI_USER<br />OFFLINE<br />EMERGENCY<br />ROLLBACK IMMEDIATE<br />ROLLBACK AFTER<number of seconds><br />© The Norns Laboratories, 2009<br />
    44. 44. Parameterization<br />Forced parameterization changes the literal constants in a query to parameters when compiling a query. Forced parameterization should not be used for environments that rely heavily on indexed views and indexes on computed columns. Generally, the PARAMETERIZATION FORCED option should only be used by experienced database administrators after determining that doing this does not adversely affect performance.<br />Distributed queries that reference more than one database are eligible for forced parameterization as long as the PARAMETERIZATION option is set to FORCED in the database whose context the query is running.<br />Setting the PARAMETERIZATION option to FORCED flushes all query plans from the plan cache of a database, except those that currently are compiling, recompiling, or running. Plans for queries that are compiling or running during the setting change are parameterized the next time the query is executed.<br />Setting the PARAMETERIZATION option is an online operation that it requires no database-level exclusive locks.<br />Forced parameterization is disabled (set to SIMPLE) when the compatibility of a SQL Server database is set to 80, or a database on an earlier instance is attached to an instance of SQL Server 2005 or later. <br />The current setting of the PARAMETERIZATION option is preserved when reattaching or restoring a database.<br />When the PARAMETERIZATION option is set to FORCED, the reporting of error messages may differ from that of simple parameterization: multiple error messages may be reported in cases where fewer message would be reported under simple parameterization, and the line numbers in which errors occur may be reported incorrectly.<br />© The Norns Laboratories, 2009<br />
    45. 45. Collation Sequences<br />Each SQL Server collation specifies three properties:<br />The sort order to use for Unicode data types (nchar, nvarchar, and ntext). A sort order defines the sequence in which characters are sorted, and the way characters are evaluated in comparison operations.<br />The sort order to use for non-Unicode character data types (char, varchar, and text).<br />The code page used to store non-Unicode character data.<br />Note  You cannot specify the equivalent of a code page for the Unicode data types (nchar, nvarchar, and ntext). The double-byte bit patterns used for Unicode characters are defined by the Unicode standard and cannot be changed.<br />© The Norns Laboratories, 2009<br />
    46. 46. Database Integrity Checks<br />USE [master]<br />GO<br />ALTER DATABASE [AdventureWorks2008] SET PAGE_VERIFY CHECKSUM<br />GO<br />When DBCC CHECKDB is executed, SQL Server performs all the following actions:<br />Checks page allocation within the database<br />Checks the structural integrity of all tables and indexed views<br />Calculates a checksum for every data and index page to compare against the stored checksum<br />Validates the contents of every indexed view<br />Checks the database catalog<br />Validates Service Broker data within the database<br />To accomplish these checks, DBCC CHECKDB executes the following commands:<br />DBCC CHECKALLOC, to check the page allocation of the database<br />DBCC CHECKCATALOG, to check the database catalog<br />DBCC CHECKTABLE, for each table and view in the database to check the structural integrity<br />© The Norns Laboratories, 2009<br />
    47. 47. Practice Test, Review and Questions<br />10 questions, lesson 1, time 20 minutes<br />© The Norns Laboratories, 2009<br />
    48. 48. Tables<br />3 hours<br />© The Norns Laboratories, 2009<br />
    49. 49. Basics of Data Modeling<br />Subject Area<br />Reflecting SA in the model<br />Put stuff where it belongs.<br />Tables follow some very basic rules—columns define a group of data that you need to store, and you add one row to the table for each unique group of information.<br />The columns that you define represent the distinct pieces of information that you need to work with inside your database, such as a city, product name, first name, last name, or price.<br />© The Norns Laboratories, 2009<br />
    50. 50. Nullability<br />You can specify whether a column allows nulls by specifying NULL or NOT NULL for the column properties. Just as with every command you execute, you should always specify explicitly each option that you want, especially when you are creating objects. <br />If you do not specify the nullability option, SQL Server uses the default option when creating a table, which could produce unexpected results. In addition, the default option is not guaranteed to be the same for each database because you can modify this by changing the ANSI_NULL_DEFAULT database property.<br />NULL value does not equal another NULL and NULLs cannot be compared.<br />© The Norns Laboratories, 2009<br />
    51. 51. COLLATE<br />Collation sequences control the way characters in various languages are handled. When you install an instance of SQL Server, you specify the default collation sequence for the instance. <br />You can set the COLLATE property of a database to override the instance collation sequence, which SQL Server then applies as the default collation sequence for objects within the database. <br />You can override the collation sequence for an entire table.<br />You can override the collation sequence for an individual column.<br /> By specifying the COLLATE option for a character-based column, you can set language-specifi c behavior for the column.<br />© The Norns Laboratories, 2009<br />
    52. 52. IDENTITY<br />Identities are used to provide a value for a column automatically when data is inserted. <br />You cannot update a column with the identity property. <br />Columns with any numeric data type, except float and real, can accept an identity property because you also have to specify a seed value and an increment to be applied for each subsequently inserted row. <br />You can have only a single identity column in a table.<br />Although SQL Server automatically provides the next value in the sequence, you can insert a value into an identity column explicitly by using the SET IDENTITY_INSERT <table name> ON command. <br />You can also change the next value generated by modifying the seed using the DBCC CHECKIDENT command.<br />© The Norns Laboratories, 2009<br />
    53. 53. NOT FOR REPLICATION<br />By applying the NOT FOR REPLICATION option, SQL Server does not reseed the identity column when the replication engine is applying changes.<br />© The Norns Laboratories, 2009<br />
    54. 54. Computed Columns<br />When you create a computed column, only the definition of the calculation is stored.<br />A computed column cannot be used as a DEFAULT or FOREIGN KEY constraint definition or with a NOT NULL constraint definition. <br />However, a computed column can be used as a key column in an index or as part of any PRIMARY KEY or UNIQUE constraint, if the computed column value is defined by a deterministic expression and the data type of the result is allowed in index columns.<br />For example, if the table has integer columns a and b, the computed column a+b may be indexed, but computed column a+DATEPART(dd, GETDATE()) cannot be indexed because the value may change in subsequent invocations. <br />A computed column cannot be the target of an INSERT or UPDATE statement. <br />© The Norns Laboratories, 2009<br />
    55. 55. Row and Page Compression<br />© The Norns Laboratories, 2009<br />Row-level compression allows you to compress individual rows to fit more rows on a page, which in turn reduces the amount of storage space for the table because you don’t need to<br />store as many pages on a disk. <br />Because you can uncompress the data at any time and the uncompress operation must always succeed, you cannot use compression to store more than 8,060 bytes in a single row.<br />Page compression reduces only the amount of disk storage required because the entire page is compressed.<br />To compress any newly added, uncompressed pages, you<br />need to execute an ALTER TABLE. . .REBUILD statement with the PAGE compression option.<br />
    56. 56. Modeling world’s currencies<br />© The Norns Laboratories, 2009<br />
    57. 57. Primary Keys<br />The primary key defines the column(s) that uniquely identify every row in the table. You must specify all columns within the primary key as NOT NULL.<br />You can have only a single primary key constraint defined for a table. <br />When you create a primary key, you also designate whether the primary key is clustered or nonclustered. <br />A clustered primary key, the default SQL Server behavior, causes SQL Server to store the table in sorted order according to the primary key.<br />The default option for a primary key is clustered. When a clustered primary key is created on a table that is compressed, the compression option is applied to the primary key when the table is rebuilt.<br />© The Norns Laboratories, 2009<br />
    58. 58. Foreign Keys<br />You use foreign keys to implement referential integrity between tables within your database. By creating foreign keys, you can ensure that related tables cannot contain invalid, orphaned rows. <br />Foreign keys create what is referred to as a parent-child relationship between two tables and ensures that a value cannot be written to the child table that does not already exist in the parent table. For example, it would not make any sense to have an order for a customer who does not exist.<br />To create a foreign key between two tables, the parent table must have a primary key, which is used to refer to the child table. In addition, the data types between the parent column(s) and child column(s) must be compatible. If you have a multicolumn primary key, all the columns from the parent primary key must exist in the child table to define a foreign key.<br />© The Norns Laboratories, 2009<br />
    59. 59. CASCADING<br />One of the options for a foreign key is CASCADE. <br />You can configure a foreign key such that modifications of the parent table are cascaded to the child table. <br />For example, when you delete a customer, SQL Server also deletes all the customer’s associated orders. <br />Cascading is an extremely bad idea. It is very common to have foreign keys defined between all the tables within a database. <br />If you were to issue a DELETE statement without a WHERE clause against the wrong table, you could eliminate every row, in every table within your database, very quickly. <br />By leaving the CASCADE option off for a foreign key, if you attempt to delete a parent row that is referenced, you get an error.<br />© The Norns Laboratories, 2009<br />
    60. 60. Default constraints<br />Default constraints allow you to specify a value that is written to the column if the application does not supply a value. <br />Default constraints apply only to new rows added with an INSERT, BCP, or BULK INSERT statement. <br />You can define default constraints for either NULL or NOT NULL columns. <br />If a column has a default constraint and an application passes in a NULL for the column, SQL Server writes a NULL to the column instead of the default value. <br />SQL Server writes the default value to the column only if the application does not specify the column in the INSERT statement.<br />© The Norns Laboratories, 2009<br />
    61. 61. Adding a Check Constraint<br />© The Norns Laboratories, 2009<br />Check constraints limit the range of values within a column. Check constraints can be created at a column level and are not allowed to reference any other column in the table. <br />Table-level check constraints can reference any column within a table, but they are not allowed to reference columns in other tables.<br />
    62. 62. CREATE TABLE script<br />USE [MyFirstDatabase]<br />GO<br />/****** Object: Table [Currencies].[Currencies] Script Date: 11/09/2009 22:22:23 ******/<br />SET ANSI_NULLS ON<br />GO<br />SET QUOTED_IDENTIFIER ON<br />GO<br />CREATE TABLE [Currencies].[Currencies](<br /> [currencyId] [int] NOT NULL,<br /> [countryName] [nvarchar](64) NOT NULL,<br /> [currencyName] [nvarchar](64) NOT NULL,<br /> [currencyCode] [nchar](4) NULL,<br /> CONSTRAINT [PK_Currencies] PRIMARY KEY CLUSTERED <br />(<br /> [currencyId] ASC<br />)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]<br />) ON [PRIMARY]<br />GO<br />© The Norns Laboratories, 2009<br />
    63. 63. CREATE TABLE script (cont.)<br />CREATE TABLE [Currencies].[CurrencyUnits](<br /> [currencyUnitId] [int] NOT NULL,<br /> [name] [nvarchar](64) NOT NULL,<br /> [value] [money] NOT NULL,<br /> [image] [image] NULL,<br /> [currencyId] [int] NOT NULL,<br /> CONSTRAINT [PK_CurrencyUnits] PRIMARY KEY CLUSTERED <br />(<br /> [currencyUnitId] ASC<br />)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]<br />) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]<br />GO<br />ALTER TABLE [Currencies].[CurrencyUnits] WITH CHECK ADD CONSTRAINT [FK_CurrencyUnits_Currencies] FOREIGN KEY([currencyId])<br />REFERENCES [Currencies].[Currencies] ([currencyId])<br />GO<br />ALTER TABLE [Currencies].[CurrencyUnits] CHECK CONSTRAINT [FK_CurrencyUnits_Currencies]<br />GO<br />ALTER TABLE [Currencies].[CurrencyUnits] WITH CHECK ADD CONSTRAINT [CK_CurrencyUnits_ValueGT0] CHECK (([value]>(0)))<br />GO<br />ALTER TABLE [Currencies].[CurrencyUnits] CHECK CONSTRAINT [CK_CurrencyUnits_ValueGT0]<br />GO<br />EXEC sys.sp_addextendedproperty @name=N'MS_Description', @value=N'Value Greater Than 0' , @level0type=N'SCHEMA',@level0name=N'Currencies', @level1type=N'TABLE',@level1name=N'CurrencyUnits', @level2type=N'CONSTRAINT',@level2name=N'CK_CurrencyUnits_ValueGT0'<br />GO<br />© The Norns Laboratories, 2009<br />
    64. 64. Using Schema’s<br /> CREATE SCHEMA [Currencies] AUTHORIZATION dbo<br /> GO<br /> It is recommended that you do not create tables and view or assign permissions within a CREATE SCHEMA statement. <br /> Any CREATE SCHEMA statement that is executed must be in a separate batch.<br /> ALTER SCHEMA [Currencies] TRANSFER dbo.CurrencyUnits<br /> GO<br /> ALTER SCHEMA [Currencies] TRANSFER dbo.Currencies<br /> GO<br />© The Norns Laboratories, 2009<br />
    65. 65. Indexes<br />2 hours<br />© The Norns Laboratories, 2009<br />
    66. 66. Balanced Trees (B-Trees)<br />© The Norns Laboratories, 2009<br />A B-tree is constructed of a root node that contains a single page of data, one or more optional intermediate level pages, and one or more optional leaf level pages. The core concept of a B-tree can be found in the first word of the name: balanced. A B-tree is always symmetrical, with the same number of pages on both the left and right halves at each level.<br />The leaf-level pages contain entries sorted in the order that you specified. The data at the leaf level contains every combination of values within the column(s) that are being indexed.<br />The number of index rows on a page is determined by the storage space required by the columns that are defined in the index.<br />
    67. 67. Index Levels<br />A data page = 8,192 bytes (or 8,060 bytes of actual user data). <br />If you build an index on an INT column, each row in the table will require 4 bytes of storage in the index.<br />© The Norns Laboratories, 2009<br />1<br />1<br />0<br />?<br />2,015<br />
    68. 68. Indexing limits<br />You can define an index with a maximum of 16 columns.<br />The maximum size of the index key is 900 bytes.<br />A table without a clustered index is referred to as a heap. When you have a heap, page chains are not stored in sorted order.<br />© The Norns Laboratories, 2009<br />
    69. 69. Covering Indexes<br />When an index is built, every value in the index key is loaded into the index. In effect, each index is a mini-table containing all the values corresponding to just the columns in the index key. <br />It is possible for a query to be entirely satisfied by using the data in the index.<br />An index that is constructed such that SQL Server can completely satisfy queries by reading only the index is called a covering index.<br />© The Norns Laboratories, 2009<br />
    70. 70. Included Columns<br />Indexes can be created using the optional INCLUDE clause. <br />Included columns become part of the index at only the leaf level. Values from included columns do not appear in the root or intermediate levels of an index and do not count against the 900-byte limit for an index.<br />This way you can construct covering indexes that can have more than 16 columns and 900 bytes by using the INCLUDE clause.<br />© The Norns Laboratories, 2009<br />
    71. 71. Query optimizer<br />Ways to create statistics in SQL Server 2008:<br />The optimizer automatically creates single-column statistics as needed as a side effect of optimizing SELECT, INSERT, UPDATE, DELETE, and MERGE statements if AUTO_CREATE_STATISTICS is enabled, which is the default setting.<br />Note: The optimizer only creates nonfiltered statistics in these cases.<br />There are two basic statements in SQL Server 2008 that explicitly generate the statistical information described above: CREATE INDEX generates the declared index in the first place, and it also creates one set of statistics for the column combinations constituting the index keys (but not other included columns). CREATE STATISTICS only generates the statistics for a given column or combination of columns.<br />Note: If the CREATE INDEX defines a predicate, the corresponding statistics are created with the same predicate.<br />In addition, there are several other ways to create statistics or indexes. Ultimately, though, each issues one of the above two commands. Use sp_createstatsto create statistics for all eligible columns (all except XML columns) for all user tables in the current database. A new statistics object will not be created for columns that already have a statistics object.<br />Use dbccdbreindexto rebuild one or more indexes for a table in the specified database.<br />In SQL Server Management Studio, expand the folder under a Table object, right click the Statistics folder, and choose New Statistics.<br />Use the Database Engine Tuning Advisor to create indexes.<br />© The Norns Laboratories, 2009<br />
    72. 72. CREATE STATISTICS<br />CREATE STATISTICS FirstLast2 ON Person.Contact(FirstName,LastName) WITH SAMPLE 50 PERCENT<br />The auto update statistics feature described above may be turned off at different levels:<br />On the database level, disable auto update statistics by using command ALTER DATABASE dbname SET AUTO_UPDATE_STATISTICS OFF<br />At the table level, disable auto update statistics using the NORECOMPUTE option of the UPDATE STATISTICS command or CREATE STATISTICS command.<br />Use sp_autostats to display and change the auto update statistics setting for a table, index, or statistics object. <br />Re-enabling the automatic updating of statistics can be done similarly using ALTER DATABASE, UPDATE STATISTICS, or sp_autostats.<br />© The Norns Laboratories, 2009<br />
    73. 73. FILLFACTOR<br />The FILLFACTOR option for an index determines the percentage of free space that is reserved on each leaf-level page of the index when an index is created or rebuilt. <br />The free space reserved leaves room on the page for additional values to be added, thereby reducing the rate at which page splits occur. <br />The FILLFACTOR is represented as a percentage full. <br />For example, a FILLFACTOR = 75 means that 25 percent of the space on each leaf-level page is left empty to accommodate future values.<br />© The Norns Laboratories, 2009<br />
    74. 74. Defragmenting an Index<br />ALTER INDEX { index_name | ALL }<br />ON <object><br />{ REBUILD<br />[ [ WITH ( <rebuild_index_option> [ ,...n ] ) ]<br />| [ PARTITION = partition_number<br />[ WITH ( <single_partition_rebuild_index_option><br />[ ,...n ] )] ] ]<br />| DISABLE | REORGANIZE<br />[ PARTITION = partition_number ]<br />[ WITH ( LOB_COMPACTION = { ON | OFF } ) ]<br />| SET ( <set_index_option> [ ,...n ] ) }[ ; ]<br />When you defragment an index, you can use either the REBUILD or REORGANIZE options.<br />© The Norns Laboratories, 2009<br />
    75. 75. Index REBUILD<br />The REBUILD option rebuilds all levels of the index and leaves all pages filled according to the FILLFACTOR setting of an index. <br />The rebuild of an index effectively re-creates the entire B-tree structure, so unless you specify the ONLINE option, a shared table lock is acquired, preventing any changes until the rebuild operation completes.<br />© The Norns Laboratories, 2009<br />
    76. 76. Index REORGANIZE<br />The REORGANIZE option removes fragmentation only at the leaf level. <br />Intermediate-level pages and the root page are not defragmented during a reorganize. <br />REORGANIZE is always an online operation that does not incur any long-term blocking.<br />© The Norns Laboratories, 2009<br />
    77. 77. Disabling an index<br />An index can be disabled by using the ALTER INDEX statement as follows:<br />ALTER INDEX { index_name | ALL }<br />ON <object><br />DISABLE [ ; ]<br />When an index is disabled, the definition remains in the system catalog but is no longer used. SQL Server does not maintain the index as data in the table changes, and the index cannot be used to satisfy queries. <br />If a clustered index is disabled, the entire table becomes inaccessible.<br />To enable an index, it must be rebuilt to regenerate and populate the B-tree structure. <br />ALTER INDEX { index_name | ALL }<br />ON <object><br />REBUILD [ ; ]<br />© The Norns Laboratories, 2009<br />
    78. 78. Full Text Indexing<br />Full text indexes can be created against CHAR/VARCHAR, XML, and VARBINARY columns.<br />When you full text index a VARBINARY column, you must specify the filter to be used by the word breaker to interpret the document content.<br />Thesaurus files allow you to specify a list of synonyms or word replacements for search terms.<br />Stop lists exclude a list of words from search arguments and a full text index.<br />© The Norns Laboratories, 2009<br />
    79. 79. Full Text Catalog<br />The first step in building a full text index is to create a storage structure. Unlike relational indexes, full text indexes have a unique internal structure that is maintained within a separate storage format called a full text catalog. <br />Each full text catalog contains one or more full text indexes.<br />The generic syntax for creating a full text catalog is<br />CREATE FULLTEXT CATALOG catalog_name<br />[ON FILEGROUP filegroup ]<br />[IN PATH 'rootpath']<br />[WITH <catalog_option>]<br />[AS DEFAULT]<br />[AUTHORIZATION owner_name ]<br /><catalog_option>::=<br />ACCENT_SENSITIVITY = {ON|OFF}<br />FILEGROUP clause specifies the filegroup that you want to use to store any full text indexes.<br />ACCENT_SENSITIVITY allows you to configure whether the full text engine considers accent marks when building or querying a full text index.<br />AS DEFAULT clause works the same as the DEFAULT option for a filegroup.<br />AUTHORIZATION option specifies the owner of the full text catalog.<br />© The Norns Laboratories, 2009<br />
    80. 80. Change Tracking<br />The CHANGE_TRACKING option for a full text index determines how SQL Server maintains the index when the underlying data changes.<br />When set to AUTO, SQL Server automatically updates the fulltext index as the data is modified.<br />When set to MANUAL, you are responsible for periodically propagating the changes into the full text index.<br />© The Norns Laboratories, 2009<br />
    81. 81. Stemmers<br />SQL Server uses stemmers to allow a full text index to search on all inflectional forms of asearch term, such as drive, drove, driven, and driving. <br />Stemming is language-specific. Althoughyou could employ a German word breaker to tokenize English, the German stemmer cannotprocess English.<br />© The Norns Laboratories, 2009<br />
    82. 82. Querying Full Text Data<br />SELECT ProductDescriptionID, Description<br />FROM Production.ProductDescription<br />WHERE FREETEXT(Description,N'bike')<br />GO<br />All search terms used with full text are Unicode strings. If youpass in a non-Unicodestring, the query still works, but it is much less efficient because the optimizer cannot useparameter sniffing to evaluate distribution statistics on the full text index. <br />Make certainthat all terms you pass in for full text search are always typed as Unicode for maximumperformance.<br />© The Norns Laboratories, 2009<br />
    83. 83. THESAURUS FILES<br />A thesaurus file exists for each supported language. <br />All thesaurus files are XML filesstored in the FTDATA directory underneath your default SQL Server installation path.<br />The thesaurus files are not populated, so to perform synonym searches, you need topopulate the thesaurus files. <br />© The Norns Laboratories, 2009<br />
    84. 84. Stop Lists<br />Stop listsare used to excludewords that you do not want included in a full text index.<br />CREATE FULLTEXT STOPLIST ProductStopList;<br />GO<br />ALTER FULLTEXT STOPLIST ProductStopList ADD 'bike' LANGUAGE 1033;<br />GO<br />ALTER FULLTEXT INDEX ON Production.ProductDescription<br />SET STOPLIST ProductStopList<br />GO<br />© The Norns Laboratories, 2009<br />
    85. 85. Distributing and Partitioning Data<br />2.5 hours<br />© The Norns Laboratories, 2009<br />
    86. 86. Distributing and Partitioning Data<br />Table partitioning was introduced in Microsoft SQL Server 2005 as a means to split large tables across multiple storage structures. Previously, objects were restricted to a single filegroup that could contain multiple files. However, the placement of data within a filegroup was still determined by SQL Server.<br />Table partitioning allows tables, indexes, and indexed views to be created on multiple filegroups while also allowing the database administrator (DBA) to specify which portion of the object will be stored on a specific filegroup.<br />© The Norns Laboratories, 2009<br />
    87. 87. The process for partitioning<br />For partitioning of a table, index, or indexed view do the following:<br />Create a partition function.<br />Create a partition scheme mapped to a partition function.<br />Create the table, index, or indexed view on the partition scheme.<br />© The Norns Laboratories, 2009<br />
    88. 88. Creating a Partition Function<br />A partition function defines the boundary points that will be used to split data across apartition scheme. <br />The data type for a partition function can be anynative SQL Server data type, except:<br />text,<br />ntext, <br />image, <br />varbinary(max), <br />timestamp, <br />xml, <br />varchar(max)<br />© The Norns Laboratories, 2009<br />
    89. 89. Partition Function<br />CREATE PARTITION FUNCTION<br />mypartfunction (int)<br />AS RANGE LEFT<br />FOR VALUES (10,20,30,40,50,60)<br />© The Norns Laboratories, 2009<br />CREATE PARTITION FUNCTION<br />mypartfunction (int)<br />AS RANGE RIGHT<br />FOR VALUES (10,20,30,40,50,60)<br />
    90. 90. Practice Partitioning<br />© The Norns Laboratories, 2009<br />Self-paced Training Kit, page 140<br />
    91. 91. Creating a Partition Scheme<br />A partition scheme defines the storage structures and collection of filegroups that you want to use with a given partition function. <br />CREATE PARTITION SCHEME partition_scheme_name<br />AS PARTITION partition_function_name<br />[ ALL ] TO ( { file_group_name | [ PRIMARY ] } [ ,...n ] )<br />Create partition scheme as described on p.143-144<br />Run the following commands to check on results:<br />SELECT * FROM sys.partition_range_values;<br />SELECT * FROM sys.partition_schemes;<br />© The Norns Laboratories, 2009<br />
    92. 92. Creating Partitioned Tables and Indexes<br />CREATE TABLE Employee (EmployeeIDint NOT NULL,<br />FirstNamevarchar(50) NOT NULL,<br />LastNamevarchar(50) NOT NULL)<br />ON mypartscheme(EmployeeID);<br />GO<br />CREATE NONCLUSTERED INDEX idx_employeefirtname<br />ON dbo.Employee(FirstName) ON mypartscheme(EmployeeID);<br />GO<br />© The Norns Laboratories, 2009<br />
    93. 93. Split and Merge Operators<br />The SPLIT operator introduces a new boundary point into a partition function. MERGE eliminates a boundary point from a partition function. The general syntax is as follows:<br />ALTER PARTITION FUNCTION partition_function_name()<br />{SPLIT RANGE ( boundary_value )<br />| MERGE RANGE ( boundary_value ) } [ ; ]<br />© The Norns Laboratories, 2009<br />
    94. 94. Altering a Partition Scheme<br />You can add filegroups to an existing partition scheme to create more storage space for a partitioned table. The general syntax is as follows:<br />ALTER PARTITION SCHEME partition_scheme_name<br />NEXT USED [ filegroup_name ] [ ; ]<br />The NEXT USED clause has two purposes:<br />It adds a new filegroup to the partition scheme, if the specified filegroup is not already part of the partition scheme.<br />It marks the NEXT USED property for a filegroup.<br />The filegroup that is marked with the NEXT USED flag is the filegroup that contains the next partition that is created when a SPLIT operation is executed.<br />© The Norns Laboratories, 2009<br />
    95. 95. Switch Operator<br />SQL Server stores data on pages in a doubly linked list. To locate and access data, SQL Server performs the following basic process:<br />1. Resolve the table name to an object ID.<br />2. Locate the entry for the object ID in sys.indexes to extract the first page for the object.<br />3. Read the first page of the object.<br />4. Using the Next Page and Previous Page entries on each data page, walk the page chain to locate the data required.<br />© The Norns Laboratories, 2009<br />SWITCH operator allows to exchange partitions between tables in a perfectly scalable manner with no locking, blocking, or deadlocking.<br />
    96. 96. Practice<br />Review script provided in a file <br /> Practice Distributing and Partitioning.sql<br />Run each step individually. Observe results, and describe each step purpose in comments. <br />© The Norns Laboratories, 2009<br />
    97. 97. Importing and Exporting Data<br />1.5 hours<br />© The Norns Laboratories, 2009<br />
    98. 98. Bulk Copy Program (BCP)<br />BCP is a program that allows:<br />import data from a file into a table; <br />export data from a table to a file.<br />bcp {[[database_name.][owner].]{table_name | view_name} | "query"}<br />{in | out | queryout | format} data_file<br />[-mmax_errors] [-fformat_file] [-x] [-eerr_file]<br />[-Ffirst_row] [-Llast_row] [-bbatch_size]<br />[-n] [-c] [-w] [-N] [-V (60 | 65 | 70 | 80)] [-6]<br />[-q] [-C { ACP | OEM | RAW | code_page } ] [-tfield_term]<br />[-rrow_term] [-iinput_file] [-ooutput_file] [-apacket_size]<br />[-Sserver_name[instance_name]] [-Ulogin_id] [-Ppassword]<br />[-T] [-v] [-R] [-k] [-E] [-h"hint [,...n]"]<br />C:>bcp master..sysobjects out c: estsysobjects.txt -c -t, -T -S <servername><br />C:>bcpAdventureWorks.Sales.SalesOrderDetail out c: estAdventureWorks.Sales.SalesOrderDetail.txt -c –t, -T -S <servername><br />© The Norns Laboratories, 2009<br />
    99. 99. BCP (continues)…<br />The switches used are:<br /> -c Output in ASCII with the default field terminator (tab) and row terminator (crlf)<br /> -t override the field terminator with ","<br /> -T use a trusted connection. Note that U –P may be used for username/password<br /> -S connect to this server to execute the command<br />Note that, like DTS/SSIS, BCP is a client utility, hence you need to supply the connection information.<br />For transfer of data between SQL servers, in place of –c, use –n or -N for native data format (-N = Unicode). This is much faster and avoids data conversion problems. <br />© The Norns Laboratories, 2009<br />
    100. 100. BULK INSERT<br /> BULK INSERT is a T-SQL command that allows import data from a file into a table. <br /> BULK INSERT cannot export data.<br />BULK INSERT<br />[ database_name . [ schema_name ] . | schema_name . ] [ table_name | view_name ]<br />FROM 'data_file'<br />[ WITH<br />( [ [ , ] BATCHSIZE = batch_size ] [ [ , ] CHECK_CONSTRAINTS ]<br />[ [ , ] CODEPAGE = { 'ACP' | 'OEM' | 'RAW' | 'code_page' } ]<br />[ [ , ] DATAFILETYPE = { 'char' | 'native'| 'widechar' | 'widenative' } ]<br />[ [ , ] FIELDTERMINATOR = 'field_terminator' ] [ [ , ] FIRSTROW =first_row ]<br />[ [ , ] FIRE_TRIGGERS ] [ [ , ] FORMATFILE = 'format_file_path' ]<br />[ [ , ] KEEPIDENTITY ] [ [ , ] KEEPNULLS ]<br />[ [ , ] KILOBYTES_PER_BATCH =kilobytes_per_batch ] [ [ , ] LASTROW = last_row ]<br />[ [ , ] MAXERRORS = max_errors ] [ [ , ] ORDER ( { column [ ASC | DESC ] } [ ,...n ] ) ]<br />[ [ , ] ROWS_PER_BATCH = rows_per_batch ] [ [ , ] ROWTERMINATOR = 'row_terminator' ]<br />[ [ , ] TABLOCK ] [ [ , ] ERRORFILE = 'file_name' ] )]<br />© The Norns Laboratories, 2009<br />
    101. 101. BULK INSERT (continues…)<br />DECLARE @bulk_cmdvarchar(1000)<br />SET @bulk_cmd = 'BULK INSERT MyFirstDatabase..SalesOrderDetail<br />FROM ''C: estAdventureWorks.Sales.SalesOrderDetail.txt'' <br />WITH (DATAFILETYPE = ''char'', FIELDTERMINATOR = '','')'<br />EXEC(@bulk_cmd)<br />GO<br />SELECT * FROM SalesOrderDetail<br />GO<br />© The Norns Laboratories, 2009<br />
    102. 102. SSIS – Import/Export Wizard <br />The Import and Export Wizard uses a subset of the SSIS feature set to move data between a source and destination.<br />Self-paced Training Kit, p.167-171, Practice 2.<br />© The Norns Laboratories, 2009<br />
    103. 103. Designing Policy Based Management<br />1 hr.<br />© The Norns Laboratories, 2009<br />
    104. 104. Designing Policies<br />SQL Server 2008 has a new feature called Policy Based Management, also known as the Declarative Management Framework (DMF), to tackle the problem of standardizing your SQL Server instances. <br />Policy Based Management introduces the following new objects that are used to design and check for compliance:<br />Facets<br />Conditions<br />Policies<br />Policy targets<br />Policy categories<br />© The Norns Laboratories, 2009<br />
    105. 105. Facets and Conditions<br />Policies are created from a predefined set of facets.<br />Facets define the type of object or option to be checked, such as database, Surface Area, or login.<br />SQL Server ships with 74 facets, implemented as .NET assemblies, each with a unique set of properties.<br />Each facet contains a subgroup of SQL Server 2008 configuration settings and other events that you can control. You pair these facets with conditions in order to create a policy. Conditions are the values that are allowed for the properties of a facet, the configuration settings, or other events contained within that facet.<br />© The Norns Laboratories, 2009<br />
    106. 106. Policies<br />Policies are created for a single condition and set to either enforce or check compliance. <br />The execution mode can be set as follows:<br />On demand –Evaluates the policy when directly executed by a user<br />On change, prevent – Creates data definition language (DDL) triggers to prevent a change that violates the policy<br />On change, log only – Checks the policy automatically when a change is made using the event notification infrastructure<br />On schedule – Creates a SQL Server Agent job to check the policy on a defined schedule<br />If a policy contains a condition that was defined using the advanced editor, the only available execution mode is On Demand.<br />© The Norns Laboratories, 2009<br />
    107. 107. Policy Categories<br />Policy categories can be used to group one or more policies into a single compliance unit. If not specified, all policies belong to the DEFAULT category. <br />To check or enforce policies, you create a subscription to one or more policies. Subscription occurs at two levels—instance and database. <br />A member of the sysadmin role can subscribe an instance to a policy category. <br />Once subscribed, the owner of each database within the instance can subscribe their database to a policy category.<br />Each policy category has a Mandate property that applies to databases. <br />When a policy category is set to Mandate and a sysadmin subscribes the instance to a policy category, all databases that meet the target set are controlled by the policies within the policy category. <br />A policy subscription to a policy category set to Mandate cannot be overridden by a database owner.<br />© The Norns Laboratories, 2009<br />
    108. 108. Creating New Condition<br />© The Norns Laboratories, 2009<br />
    109. 109. Practice PBM<br />Self-paced Training Kit, p.184-191, Practices 1-5<br />© The Norns Laboratories, 2009<br />
    110. 110. Backing up and Restoring Database<br />3 hrs.<br />© The Norns Laboratories, 2009<br />
    111. 111. Backups<br />Backups are taken to reduce the risk of data loss.<br />Because it is more common to back up a database than to restore one, the backup engine is optimized for the backup process. <br />The only two parameters required for a backup are the name of the database and the backup device. Up to 64 devices could be used for a backup.<br />Because the backup process is not concerned with the ordering of pages, multiple threads can be used to write pages to the backup device.<br />When a backup is initiated, the backup engine grabs pages from the data files as quickly as possible, without regard to the order of pages.<br />© The Norns Laboratories, 2009<br />
    112. 112. Backup Types<br />Full<br />Captures all pages within a database that contain data. Pages that do not contain data are not included in the backup. The database is fully operational during a full backup. The only operations that are not allowed during the a full backup are:<br />Adding or removing a database file<br />Shrinking a database<br />Partial<br />Captures only the filegroups that can change. Read only filegroups are not included to minimize the size of the backup.<br />Differential<br />Captures all extents that have changed since the last full backup. The primary purpose of a differential backup is to reduce the number of transaction log backups that need to be restored. A differential backup has to be applied to a full backup and can’t exist until a full backup has been created.<br />Transaction log<br />Every change made to a database has an entry made to the transaction log. <br />Filegroup<br />Individual file or a filegroup backup.<br />© The Norns Laboratories, 2009<br />
    113. 113. BACKUP DATABASE<br />BACKUP DATABASE { database_name | @database_name_var }<br />TO <backup_device> [ ,...n ]<br />[ <MIRROR TO clause> ] [ next-mirror-to ]<br />[ WITH { DIFFERENTIAL | <general_WITH_options> [ ,...n ] } ]<br /><backup_device>::= { { logical_device_name | @logical_device_name_var }<br />| { DISK | TAPE } =<br />{ 'physical_device_name' | @physical_device_name_var } }<br /><MIRROR TO clause>::= MIRROR TO <backup_device> [ ,...n ]<br /><general_WITH_options> [ ,...n ]::=<br />--Backup Set Options<br />COPY_ONLY | { COMPRESSION | NO_COMPRESSION }<br />| DESCRIPTION = { 'text' | @text_variable }<br />| NAME = { backup_set_name | @backup_set_name_var }<br />| PASSWORD = { password | @password_variable }<br />| { EXPIREDATE = { 'date' | @date_var }<br />| RETAINDAYS = { days | @days_var } }<br />--Media Set Options<br />{ NOINIT | INIT } | { NOSKIP | SKIP } | { NOFORMAT | FORMAT }<br />| MEDIADESCRIPTION = { 'text' | @text_variable }<br />| MEDIANAME = { media_name | @media_name_variable }<br />| MEDIAPASSWORD = { mediapassword | @mediapassword_variable }<br />| BLOCKSIZE = { blocksize | @blocksize_variable }<br />--Error Management Options<br />{ NO_CHECKSUM | CHECKSUM }<br />| { STOP_ON_ERROR | CONTINUE_AFTER_ERROR }<br />© The Norns Laboratories, 2009<br />
    114. 114. Configuring Backup Devices<br />USE [master]<br />GO<br />EXEC master.dbo.sp_addumpdevice<br /> @devtype = N'disk', <br /> @logicalname = N'New Backup Device', <br /> @physicalname = N'C:TestNew Backup Device.bak'<br />GO<br />© The Norns Laboratories, 2009<br />
    115. 115. Backups Mirroring<br />One of the maxims of disaster recovery is that you can’t have enough copies of your backups. <br />The MIRROR TO clause provides a built-in capability to create up to four copies of a backup in a single operation. <br />When you include the MIRROR TO clause, SQL Server retrieves the page once from the database and writes a copy of the page to each backup mirror.<br />If you back up to tape, you must mirror to tape. If you back up to disk, you must mirror to disk.<br />During a restore operation, you can use any of the mirrors. <br />© The Norns Laboratories, 2009<br />
    116. 116. Backup best practices<br />Design and implement a well thought backup strategy to suit the needs of your organization<br />Perform backups more often<br />Decrease backup times by using a compression<br />Use various media for backups<br />Increase number of backup copies<br />Keep backup copies at different places<br />Allocate only a single backup per file<br />Use of meaningful names for the backup files<br />© The Norns Laboratories, 2009<br />
    117. 117. Database backup strategy<br />© The Norns Laboratories, 2009<br />
    118. 118. Transaction Log Backups<br />Every change made to a database has an entry made to the transaction log.<br />Each row is assigned a unique number internally called the Log Sequence Number (LSN).<br />The contents of a transaction log are broken down into two basic parts:<br />Inactive - contains all the changes that have been committed to the database.<br />Active - contains all the changes that have not yet been committed<br />Based on the sequence number, it is possible to restore one transaction log backup after another to recover a database to any point in time by simply following the chain of transactions as identified by the LSN.<br />Before you can issue a transaction log backup, you must execute a full backup.<br />© The Norns Laboratories, 2009<br />
    119. 119. BACKUP LOG Command<br />BACKUP LOG { database_name | @database_name_var }<br />TO <backup_device> [ ,...n ]<br />[ <MIRROR TO clause> ] [ next-mirror-to ]<br />[ WITH { <general_WITH_options> | <log-specific_optionspec> } [ ,...n ] ][;]<br />© The Norns Laboratories, 2009<br />
    120. 120. Differential Backups<br />A differential backup contains all pages changed since the last full backup. For example, if a full backup was taken at midnight and a differential backup occurred every four hours, both the 4 A.M. backup and the 8 A.M. backup would contain all the changes made to the database since midnight.<br />Each database in the header has a special page called the Differential Change Map (DCM). DCM keeps the counter of changes occurred since last full backup.<br />A full backup zeroes out the contents of the DCM.<br />© The Norns Laboratories, 2009<br />
    121. 121. COPY_ONLY Option<br />The COPY_ONLY option allows to create a backup that can be used to create the development or test environment as it does not affect the database state or set of backups in production. <br />A full backup with the COPY_ONLY option does not reset the differential change map page and therefore has no impact on differential backups. <br />A transaction log backup with the COPY_ONLY option does not remove transactions from the transaction log.<br />© The Norns Laboratories, 2009<br />
    122. 122. Filegroup Backups<br />File or filegroup backups are used to reduce the footprint of a backup, as it only targets a portion of a database to be backed up.<br />Because for successful recovery of a database, you need all the files underneath a filegroup to be in exactly the same state, it is good idea to backup a filegroup, but not an individual files. <br />Filegroup backups can be used in conjunction with differential and transaction log backups to recover a portion of the database in the event of a failure. <br />The database can remain online and accessible to applications during the restore operation. Only the portion of the database being restored is off-line.<br />© The Norns Laboratories, 2009<br />
    123. 123. Partial Backups<br />BACKUP DATABASE database_nameREAD_WRITE_FILEGROUPS[,<file_filegroup_list>]TO <backup_device><br />When executed, SQL Server backs up the primary filegroup, all read/write filegroups, and any explicitly specified read-only filegroups.<br />Partial Backups are only used for a purpose of saving backup space by excluding read only filegroups from backup. <br />© The Norns Laboratories, 2009<br />
    124. 124. Identifying bad pages<br />By executing the following command, SQL Server detects and quarantines corrupted pages:<br />ALTER DATABASE <dbname> SET PAGE_VERIFY CHECKSUM<br />If the database is participating in a Database Mirroring session, a copy of the corrupt page is retrieved from the mirror. If the page on the mirror is intact, the corrupt page is repaired automatically with the page retrieved from the mirror.<br />To protect databases from massive corruption, SQL Server 2008 limits the allowed number of corrupted pages to a total of 1,000 per database.<br />If the corrupt page limit reached, SQL Server takes the database off-line and places it in a suspect state to protect it from further damage.<br />© The Norns Laboratories, 2009<br />
    125. 125. Maintenance Plans (SSIS)<br />Maintenance plans provide a mechanism to graphically create job workflows that support common administrative functions such as backup, re-indexing, and space management.<br />Tasks that are supported by maintenance plans are:<br />Backing up of databases and transaction logs<br />Shrinking databases<br />Re-indexing<br />Updating of statistics<br />Performing consistency checks<br />The most common tasks performed by maintenance plans are database backups.<br />© The Norns Laboratories, 2009<br />
    126. 126. © The Norns Laboratories, 2009<br />Certificates and Master Keys<br /><ul><li>Transparent data encryption (TDE) is a new encryption feature introduced in Microsoft SQL Server 2008.
    127. 127. SQL Server offers two levels of encryption: database-level and cell-level. Both use the key management hierarchy.
    128. 128. When TDE is enabled on a database, all backups are encrypted. </li></ul><br />
    129. 129. Enabling TDE<br />To enable TDE, you must have the normal permissions associated with creating a database master key and certificates in the master database. You must also have CONTROL permissions on the user database.<br />To enable TDE perform the following steps in the master database:<br />If it does not already exist, create a database master key (DMK) for the master database. Ensure that the database master key is encrypted by the service master key (SMK).<br />CREATE MASTER KEY ENCRYPTION BY PASSWORD = ‘some password’;<br />Either create or designate an existing certificate for use as the database encryption key (DEK) protector. For the best security, it is recommended that you create a new certificate whose only function is to protect the DEK. Ensure that this certificate is protected by the DMK.<br />CREATE CERTIFICATE tdeCert WITH SUBJECT = ‘TDE Certificate’;<br />Create a backup of the certificate with the private key and store it in a secure location. (Note that the private key is stored in a separate file—be sure to keep both files). Be sure to maintain backups of the certificate as data loss may occur otherwise.<br />BACKUP CERTIFICATE tdeCert TO FILE = ‘path_to_file’WITH PRIVATE KEY (FILE = ‘path_to_private_key_file’,ENCRYPTION BY PASSWORD = ‘cert password’);<br />Optionally, enable SSL on the server to protect data in transit.Perform the following steps in the user database. These require CONTROL permissions on the database.<br />Create the database encryption key (DEK) encrypted with the certificate designated from step 2 above. This certificate is referenced as a server certificate to distinguish it from other certificates that may be stored in the user database.<br />CREATE DATABASE ENCRYPTION KEYWITH ALGORITHM = AES_256ENCRYPTION BY SERVER CERTIFICATE tdeCert<br />Enable TDE. This command starts a background thread (referred to as the encryption scan), which runs asynchronously.<br />ALTER DATABASE myDatabase SET ENCRYPTION ON<br />© The Norns Laboratories, 2009<br />
    130. 130. Service Master Key (SMK)<br />The Service Master Key is the root of the SQL Server encryption hierarchy. It is generated automatically the first time it is needed to encrypt another key. By default, the Service Master Key is encrypted using the Windows data protection API and using the local machine key.<br />Each time that you change the SQL Server service account or service account password, the service master key is regenerated. <br />The first action that you should take after an instance is started is to back up the service master key. <br />You should also back up the service master key immediately following a change to the service account or service account password.<br />BACKUP SERVICE MASTER KEY TO FILE = 'path_to_file'<br />ENCRYPTION BY PASSWORD = 'password'<br />© The Norns Laboratories, 2009<br />
    131. 131. Database Master Key (DMK)<br />Database master key(DMK) isthe root of the encryption hierarchy in a database. <br />To ensure that you can access certificates,asymmetric keys, and symmetric keys within a database, you need to have a backup of theDMK. <br />BACKUP MASTER KEY TO FILE = 'path_to_file'<br />ENCRYPTION BY PASSWORD = 'password'<br />Before you can back up a DMK, it must be open. By default, a DMK is encrypted with theservice master key. If the DMK is encrypted only with a password, you must first open theDMK by using the following command:<br />USE <database name>;<br />OPEN MASTER KEY DECRYPTION BY PASSWORD = '<SpecifyStrongPasswordHere>';<br />© The Norns Laboratories, 2009<br />
    132. 132. Certificates<br />Certificates are used to encrypt data as well as digitally sign code modules. Although you could create a new certificate to replace the digital signature in the event of the loss of a certificate, you must have the original certificate to access any data that was encrypted with the certificate. <br />Certificates have both a public and a private key. You should back up a certificate immediately after creation by using the following command:<br />BACKUP CERTIFICATE certname TO FILE = 'path_to_file'<br />[ WITH PRIVATE KEY<br />( FILE = 'path_to_private_key_file' ,<br />ENCRYPTION BY PASSWORD = 'encryption_password'<br />[ , DECRYPTION BY PASSWORD = 'decryption_password' ] ) ]<br />You can back up just the public key by using the following command:<br />BACKUP CERTIFICATE certname TO FILE = 'path_to_file‘<br />However, if you restore a backup of a certificate containing only the public key, SQL Server generates a new private key.<br />© The Norns Laboratories, 2009<br />
    133. 133. Validating a Backup<br />To validate a backup, execute the following command:<br /> RESTORE VERIFYONLY FROM <backup device><br />When a backup is validated, SQL Server performs the following checks:<br />Calculates a checksum for the backup and compares to the checksum stored in the backup file<br />Verifies that the header of the backup is correctly written and valid<br />Transits the page chain to ensure that all pages are contained in the database and can be located<br />© The Norns Laboratories, 2009<br />
    134. 134. Database Restores<br />All restore sequences begin with either a full backup or filegroup backup. <br />When restoring backups, you have the option to terminate the restore process at any point and make the database available for transactions. <br />After the database or filegroup being restored has been brought online, you can’t apply any additional differential or transaction log backups to the database.<br />© The Norns Laboratories, 2009<br />
    135. 135. Restoring a Full Backup<br />RESTORE DATABASE { database_name | @database_name_var }<br />[ FROM <backup_device> [ ,...n ] ]<br />[ WITH {[ RECOVERY | NORECOVERY |<br />STANDBY = {standby_file_name | @standby_file_name_var } ]<br />| , <general_WITH_options> [ ,...n ]<br />| , <replication_WITH_option><br />| , <change_data_capture_WITH_option><br />| , <service_broker_WITH options><br />| , <point_in_time_WITH_options—RESTORE_DATABASE><br />} [ ,...n ]<br />]<br /><general_WITH_options> [ ,...n ]::=<br />--Restore Operation Options<br />MOVE 'logical_file_name_in_backup' TO 'operating_system_file_name'<br />[ ,...n ] | REPLACE | RESTART | RESTRICTED_USER<br />When a RESTORE command is issued, if the database does not already exist within the instance, SQL Server creates the database along with all files underneath the database. The REPLACE option is used to force the restore over the top of an existing database.<br />© The Norns Laboratories, 2009<br />
    136. 136. Database state after the Restore has completed<br />If you want the database to be online and accessible for transactions after the RESTORE operation has completed, you need to specify the RECOVERY option. <br />When a RESTORE is issued with the NORECOVERY option, the restore completes, but the database is left in a RECOVERING state such that subsequent differential and/or transaction log backups can be applied. <br />The STANDBY option can be used to allow you to issue SELECT statements against the database while still issuing additional differential and/or transaction log restores. <br />If you restore a database with the STANDBY option, an additional file is created to make the database consistent as of the last restore that was applied.<br />© The Norns Laboratories, 2009<br />
    137. 137. Restoring a Differential Backup<br />A differential restore uses the same command syntax as a full database restore. <br />When the full backup has been restored, you can then restore the most recent differential backup.<br />© The Norns Laboratories, 2009<br />
    138. 138. Restoring a Transaction Log Backup<br />RESTORE LOG { database_name | @database_name_var }<br />[ <file_or_filegroup_or_pages> [ ,...n ] ]<br />[ FROM <backup_device> [ ,...n ] ]<br />[ WITH {[ RECOVERY | NORECOVERY |<br />STANDBY = {standby_file_name | @standby_file_name_var } ]<br />| , <general_WITH_options> [ ,...n ]<br />| , <replication_WITH_option><br />| , <point_in_time_WITH_options—RESTORE_LOG> } [ ,...n ] ]<br /><point_in_time_WITH_options—RESTORE_LOG>::=<br />| { STOPAT = { 'datetime' | @datetime_var }<br />| STOPATMARK = { 'mark_name' | 'lsn:lsn_number' }<br />[ AFTER 'datetime' ]<br />| STOPBEFOREMARK = { 'mark_name' | 'lsn:lsn_number' }<br />[ AFTER 'datetime' ]<br />The STOPAT command allows to specify a date and time to which SQL Server restores. <br />The STOPATMARK and STOPBEFOREMARK options allows to specify either an LSN or a transaction log MARK to use for the stopping point in the restore operation.<br />© The Norns Laboratories, 2009<br />
    139. 139. Restore a Corrupt Page<br />Page corruption occurs when the contents of a page are not consistent.Usually occurs when disk controller begins to fail.<br />Strategy for recovery: <br />Indexfiles – drop and re-create<br />Data files –restore<br />Page restore has several requirements:<br />The database must be in either the Full or Bulked-logged recovery model.<br />You must be able to create a transaction log backup.<br />A page restore can apply only to a read/write filegroup.<br />You must have a valid full, file, or filegroup backup available.<br />The page restore cannot be executed at the same time as any other restore operation.<br />© The Norns Laboratories, 2009<br />
    140. 140. Page Restore Process<br />Retrieve the PageID of the damaged page.<br />Using the most recent full, file, or filegroup backup, execute the following command:<br />RESTORE DATABASE database_name<br />PAGE = 'file:page [ ,...n ]' [ ,...n ]<br />FROM <backup_device> [ ,...n ]<br />WITH NORECOVERY<br />Restore any differential backups with the NORECOVERY option.<br />Restore any additional transaction log backups with the NORECOVERY option.<br />Create a transaction log backup.<br />Restore the transaction log backup from step #5 using the WITH RECOVERY option.<br />© The Norns Laboratories, 2009<br />
    141. 141. Best Effort Restore<br />Because pages are restored in sequential order, as soon as the first page has been restored to a database, anything that previously existed is no longer valid. <br />If a problem with the backup media was subsequently encountered and the restore aborted, you would be left with an invalid database that could not be used. <br />SQL Server has the ability to continue the restore operation even if the backup media is damaged. When it encounters an unreadable section of the backup file, SQL Server can continue past the source of damage and continue restoring as much of the database as possible. <br />This feature is referred to as best effort restore.<br />To restore from backup media that has been damaged, you need to specify the CONTINUE_AFTER_ERROR option for a RESTORE DATABASE or RESTORE LOG command.<br />© The Norns Laboratories, 2009<br />
    142. 142. Database Snapshots<br />A Database Snapshot is a point-in-time, read-only, copy of a database.<br />Database Snapshot is available only in SQL Server 2008 Enterprise.<br />Database Snapshot is not compatible with FILESTREAM. If you create a Database Snapshot against a database with FILESTREAM data, the FILESTREAM filegroup is disabled and not accessible.<br />CREATE DATABASE database_snapshot_name<br />ON<br />(NAME = logical_file_name,<br />FILENAME = 'os_file_name') [ ,...n ]<br />AS SNAPSHOT OF source_database_name<br />© The Norns Laboratories, 2009<br />
    143. 143. Reverting Data Using a Database Snapshot<br /> RESTORE DATABASE <database_name> FROM DATABASE_SNAPSHOT = <database_snapshot_name><br />Only a single Database Snapshot can exist for the source database.<br />Full-text catalogs on the source database must be dropped and then re-created after the revert completes.<br />Because the transaction log is rebuilt, the transaction log chain is broken.<br />Both the source database and Database Snapshot are off-line during the revert process.<br />The source database cannot be enabled for FILESTREAM.<br />© The Norns Laboratories, 2009<br />
    144. 144. Automating SQL Server<br />2 hrs<br />© The Norns Laboratories, 2009<br />
    145. 145. SQL Server Agent Service<br />SQL Server Agent Service is a scheduling engine for SQL Server.<br />© The Norns Laboratories, 2009<br />
    146. 146. Practice SQL Automation<br />Jobs – Self-paced Training Kit, p.237-240<br />Alerts – Self-paced Training Kit, p.243-245<br />© The Norns Laboratories, 2009<br />
    147. 147. Practice Test, Review and Questions<br />10 questions, lesson 1, time 20 minutes<br />© The Norns Laboratories, 2009<br />
    148. 148. Designing SQL ServerSecurity<br />5 hours<br />© The Norns Laboratories, 2009<br />
    149. 149. Exam objectives<br />Manage logins and server roles.<br />Manage users and database roles.<br />Manage SQL Server instance permissions.<br />Manage database permissions.<br />Manage schema permissions and object permissions.<br />Audit SQL Server instances.<br />Manage transparent data encryption (TDE).<br />Configure surface area.<br />© The Norns Laboratories, 2009<br />
    150. 150. Identity and Access Control (Database Engine)<br />When configuring security for users, services and other accounts to access the system, you must have to work with: <br />Principals (users and login accounts), <br />Roles (groups of Principals), <br />Securable objects (Securables) and <br />Permissions.<br />© The Norns Laboratories, 2009<br />
    151. 151. Principals of the Database Engine<br />Principals are entities that can request SQL Server resources. <br />Like other components of the SQL Server authorization model, principals can be arranged in a hierarchy. <br />The scope of influence of a principal depends on the scope of the definition of the principal: <br />Windows<br />server<br />database<br />Every principal has a security identifier (SID).<br />Windows-level principals<br />Windows Domain Login<br />Windows Local Login<br />SQL Server-level principal<br />SQL Server Login<br />Database-level principals<br />Database User<br />Database Role<br />Application Role<br />© The Norns Laboratories, 2009<br />
    152. 152. sa Login<br />The SQL Server sa log in is a server-level principal. <br />It is created by default when an instance is installed. <br />In SQL Server 2005 and SQL Server 2008, the default database of sa is master.<br />© The Norns Laboratories, 2009<br />
    153. 153. public Database Role<br />Every database user belongs to the public database role. <br />When a user has not been granted or denied specific permissions on a securable, the user inherits the permissions granted to public on that securable.<br />© The Norns Laboratories, 2009<br />
    154. 154. INFORMATION_SCHEMA and sys<br />Every database includes two entities that appear as users in catalog views: <br />INFORMATION_SCHEMA <br />sys<br />These entities are required by SQL Server. They are not principals, and they cannot be modified or dropped.<br />© The Norns Laboratories, 2009<br />
    155. 155. Certificate-based SQL Server Logins<br />Server principals with names enclosed by double hash marks (##) are for internal system use only. <br />The following principals are created from certificates when SQL Server is installed, and should not be deleted.<br />##MS_SQLResourceSigningCertificate## <br />##MS_SQLReplicationSigningCertificate## <br />##MS_SQLAuthenticatorCertificate## <br />##MS_AgentSigningCertificate## <br />##MS_PolicyEventProcessingLogin## <br />##MS_PolicySigningCertificate## <br />##MS_PolicyTsqlExecutionLogin## <br />© The Norns Laboratories, 2009<br />
    156. 156. Client and Database Server<br />By definition, a client and a database server are security principals and can be secured. <br />These entities can be mutually authenticated before a secure network connection is established. <br />SQL Server supports the Kerberos authentication protocol, which defines how clients interact with a network authentication service.<br />© The Norns Laboratories, 2009<br />
    157. 157. Database Users<br />A database user is a principal at the database level. <br />Every database user is a member of the public role.<br />By default, the database includes a guest user when a database is created. <br />Permissions granted to the guest user are inherited by users who do not have a user account in the database.<br />The guest user cannot be dropped, but it can be disabled by revoking its CONNECT permission. <br />The CONNECT permission can be revoked by executing REVOKE CONNECT FROM GUEST within any database other than master or tempdb.<br />© The Norns Laboratories, 2009<br />
    158. 158. Application Roles<br />An application role is a database principal that enables an application to run with its own, user-like permissions. <br />You can use application roles to enable access to specific data to only those users who connect through a particular application. <br />Unlike database roles, application roles contain no members and are inactive by default. <br />© The Norns Laboratories, 2009<br /><ul><li>Application roles work with both authentication modes.
    159. 159. Application roles are enabled by using sp_setapprole, which requires a password.
    160. 160. Because application roles are a database-level principal, they can access other databases only through permissions granted in those databases to guest. Therefore, any database in which guest has been disabled will be inaccessible to application roles in other databases.</li></li></ul><li>Connecting with an Application Role<br />The following steps make up the process by which an application role switches security contexts:<br />A user executes a client application.<br />The client application connects to an instance of SQL Server as the user. <br />The application then executes the sp_setapprole stored procedure with a password known only to the application. <br />If the application role name and password are valid, the application role is enabled. <br />At this point the connection loses the permissions of the user and assumes the permissions of the application role.<br />The permissions acquired through the application role remain in effect for the duration of the connection.<br />In SQL Server, application roles cannot access server-level metadata because they are not associated with a server-level principal.<br />© The Norns Laboratories, 2009<br />
    161. 161. SIDs and IDs<br />Server-Level Identification Number (SID)<br />identifies the security context of the login and is unique within the server instance. <br />Database-Level Identification Number (ID)<br />identifies the user as a securable within the database. <br />The maximum number of database users is determined by the size of the user ID field. <br />The value of a user ID must be zero or a positive integer. <br />In SQL Server 2000, the user ID is stored as a smallint consisting of 16 bits, one of which is the sign. For this reason, the maximum number of user IDs in SQL Server 2000 is 215 = 32,768. <br />In SQL Server 2005 and later versions, the user ID is stored as an int consisting of 32 bits, one of which is the sign. These additional bits make it possible to assign 231 = 2,147,483,648 ID numbers.<br />© The Norns Laboratories, 2009<br />
    162. 162. Kerberos Authentication and SQL Server<br />Kerberos is a network authentication protocol provides a highly secure method to authenticate client and server entities (security principals) on a network. <br />These security principals use authentication that is based on master keys and encrypted tickets.<br />In the Kerberos protocol model, every client/server connection begins with authentication. If authentication is successful, session setup completes and a secure client/server session is established.<br />SQL Server supports Kerberos indirectly through the Windows Security Support Provider Interface (SSPI) when SQL Server is using Windows Authentication.<br />SQL Server 2008 supports Kerberos authentication on the following protocols:<br />TCP/IP<br />Named pipes<br />Shared memory<br />© The Norns Laboratories, 2009<br />
    163. 163. Create a SQL Server Login<br />To create a SQL Server login that uses Windows Authentication using Transact-SQL:<br /> CREATE LOGIN <name of Windows User> FROM WINDOWS; <br /> GO<br />To create a SQL Server login that uses SQL Server Authentication (Transact-SQL)<br /> CREATE LOGIN <login name> <br /> WITH PASSWORD = '<password>' ; <br /> GO<br />© The Norns Laboratories, 2009<br />
    164. 164. Create a Database User<br />USE <database name> <br />GO<br />CREATE USER <new user name><br />FOR LOGIN <login name> ; <br />GO<br />© The Norns Laboratories, 2009<br />
    165. 165. Create a Database Schema<br />USE <database name> GO<br />CREATE SCHEMA <new schema name> <br />AUTHORIZATION [new schema owner] ; <br />GO<br />© The Norns Laboratories, 2009<br />
    166. 166. Server-Level Roles<br />Server-Level Roles are security principals that group other principals.<br />Roles are like groups in the Microsoft Windows operating system.<br />Server-level roles are also named fixed server roles because you cannot create new server-level roles. Server-level roles are server-wide in their permissions scope.<br />You can add SQL Server logins, Windows accounts, and Windows groups into server-level roles. Each member of a fixed server role can add other logins to that same role.<br />© The Norns Laboratories, 2009<br />
    167. 167. Server-level roles’ capabilities<br />sysadmin<br />Members can perform any activity in the server.<br />serveradmin<br />Members can change server-wide configuration options and shut down the server.<br />securityadmin<br />Members can manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions. Additionally, they can reset passwords for SQL Server logins.<br />processadmin<br />Members can end processes that are running in an instance of SQL Server.<br />setupadmin<br />Members can add and remove linked servers.<br />bulkadmin<br />Members can run the BULK INSERT statement.<br />diskadmin<br />The role is used for managing disk files.<br />dbcreator<br />Members can create, alter, drop, and restore any database.<br />public<br />Every SQL Server login belongs to the public server role. Only assign public permissions on any object when you want the object to be available to all users.<br />© The Norns Laboratories, 2009<br />
    168. 168. Database-Level Roles<br />Database-level roles are database-wide in their permissions scope.<br />There are two types of database-level roles in SQL Server: <br />fixed database roles that are predefined in the database and <br />flexible database roles that you can create.<br />Members of the db_owner and db_securityadmindatabase roles can manage fixed database role membership. <br />Only members of the db_owner database role can add members to the db_owner fixed database role. <br />There are also some special-purpose fixed database roles in the msdb database.<br />You can add any database account and other SQL Server roles into database-level roles. Each member of a fixed database role can add other logins to that same role.<br />© The Norns Laboratories, 2009<br />
    169. 169. Fixed database-level Roles’ Capabilities<br />db_owner <br />can perform all configuration and maintenance activities on the database, and can also drop the database.<br />db_securityadmin <br />can modify role membership and manage permissions. Adding principals to this role could enable unintended privilege escalation.<br />db_accessadmin <br />can add or remove access to the database for Windows logins, Windows groups, and SQL Server logins.<br />db_backupoperator <br />can back up the database.<br />db_ddladmin <br />run any Data Definition Language (DDL) command in a database.<br />db_datawriter <br />can add, delete, or change data in all user tables.<br />db_datareader <br />can read all data from all user tables.<br />db_denydatawriter <br />cannot add, modify, or delete any data in the user tables within a database.<br />db_denydatareader<br />cannot read any data in the user tables within a database.<br />© The Norns Laboratories, 2009<br />
    170. 170. msdb Roles<br />db_ssisadmin, db_ssisoperator, db_ssisltduser<br />can administer and use SSIS. <br />dc_admin, dc_operator, dc_proxy<br />can administer and use the data collector. <br />PolicyAdministratorRole<br />can perform all configuration and maintenance activities on Policy-Based Management policies and conditions. <br />ServerGroupAdministratorRole, ServerGroupReaderRole<br />can administer and use registered server groups.<br />Every database user belongs to the public database role. When a user has not been granted or denied specific permissions on a securable object, the user inherits the permissions granted to public on that object.<br />© The Norns Laboratories, 2009<br />
    171. 171. Credentials<br />A credential is a record that contains the authentication information (credentials) required to connect to a resource outside SQL Server. This information is used internally by SQL Server. Most credentials contain a Windows user name and password.<br />The information stored in a credential enables a user who has connected to SQL Server by way of SQL Server Authentication to access resources outside the server instance. <br /> CREATE CREDENTIAL credential_name<br /> WITH IDENTITY = 'identity_name' [ , SECRET = 'secret' ] <br /> [ FOR CRYPTOGRAPHIC PROVIDER cryptographic_provider_name ]<br />© The Norns Laboratories, 2009<br />
    172. 172. Securables<br />Securables are the resources to which the SQL Server Database Engine authorization system regulates access. <br />Some securables can be contained within others, creating nested hierarchies called "scopes" that can themselves be secured. <br />The securable scopes are <br />server<br />database<br />schema.<br />© The Norns Laboratories, 2009<br />
    173. 173. Permissions<br />Every SQL Server securable has associated permissions that can be granted to a principal.<br />Returning the complete list of grantable permissions<br /> SELECT * FROM fn_builtin_permissions(default);<br />Returning the permissions on a particular class of objects<br /> SELECT * FROM fn_builtin_permissions('assembly')<br />Returning the permissions granted to the executing principal on an object<br /> SELECT * FROM fn_my_permissions('Orders55', 'object');<br />© The Norns Laboratories, 2009<br />
    174. 174. Network Protocols and TDS Endpoints<br />When the SQL Server Database Engine communicates with an application, it formats the communication in a Microsoft communication format called a tabular data stream (TDS) packet. <br />The network SQL Server Network Interface (SNI) protocol layerencapsulates the TDS packet inside a standard communication protocol, such as TCP/IP or named pipes. <br />The server creates a SQL Server object called a TDS endpoint for each network protocol. On the server, the TDS endpoints are installed by SQL Server during SQL Server installation. <br />Acting very similar to firewalls on the network, endpoints are a layer of security at the border between applications and a SQL Server instance. <br />© The Norns Laboratories, 2009<br />
    175. 175. Server Network Protocols<br />The network protocols necessary to communicate with SQL Server from another computer are often not enabled for SQL Server during installation. <br />© The Norns Laboratories, 2009<br /><ul><li>To connect from a client computer, you may have to enable the TCP/IP, named pipes, or VIA protocol.
    176. 176. The shared memory protocol is enabled by default on all installations, but can only be used to connect to Database Engine from a client application on the same computer. </li></li></ul><li>Secure Operation<br />Securing SQL Server includes maintaining a secure environment and following all best practices for system security. <br />Password Policy<br />SQL Server can apply the same complexity and expiration policies used in Windows Server 2003 and later versions on passwords used inside SQL Server.<br />Strong Passwords <br />Microsoft SQL Server passwords can contain up to 128 characters, including letters, symbols, and digits. Because logins, user names, roles, and passwords are frequently used in Transact-SQL statements, certain symbols must be enclosed by double quotation marks (") or square brackets ([ ]).  <br />Passwords can be the weakest link in a server security deployment. You should always take great care when you select a password. A strong password has the following characteristics:<br />Is at least 8 characters long.<br />Combines letters, numbers, and symbol characters within the password.<br />Is not found in a dictionary.<br />Is not the name of a command.<br />Is not the name of a person.<br />Is not the name of a user.<br />Is not the name of a computer.<br />Is changed regularly.<br />Is significantly different from previous passwords.<br />© The Norns Laboratories, 2009<br />
    177. 177. SQL Server Asymmetric Keys<br />Public Key Cryptography (PKI) is a form of message secrecy in which a user creates a public key and a private key. <br />The private key is kept secret, whereas the public key can be distributed to others. <br />Although the keys are mathematically related, the private key cannot be easily derived by using the public key. <br />The public key is used to encrypt data and the private key is used to decrypt data. <br />A message that is encrypted by using the public key can only be decrypted by using the correct private key. <br />Since there are two different keys, these keys are asymmetric.<br />© The Norns Laboratories, 2009<br />
    178. 178. SQL Server Certificates<br />A certificate is a digitally signed security object that contains a public (and optionally a private) key for SQL Server. <br />Certificates and asymmetric keys are both ways to use asymmetric encryption. <br />Certificates are often used as containers for asymmetric keys because they can contain more information such as expiry dates and issuers. <br />There is no difference between the two mechanisms for the cryptographic algorithm, and no difference in strength given the same key length. <br />Generally, you use a certificate to encrypt other types of encryption keys in a database, or to sign code modules.<br />Certificates and asymmetric keys can decrypt data that the other encrypts. <br />Generally, you use asymmetric encryption to encrypt a symmetric key for storage in a database.<br />A public key does not have a particular format like a certificate would have, and you cannot export it to a file.<br />© The Norns Laboratories, 2009<br />
    179. 179. Using a Certificate in SQL Server<br />To creation a certificate requires CREATE CERTIFICATE permission on the database. Only Windows logins, SQL Server logins, and application roles can own certificates. Groups and roles cannot own certificates.<br />Creating a self-signed certificate<br /> USE AdventureWorks; <br /> CREATE CERTIFICATE HiTech01 <br /> ENCRYPTION BY PASSWORD = 'pGFD4bb925DGvbd2439587y' <br /> WITH SUBJECT = ‘HiTech Institute', <br /> EXPIRY_DATE = '10/31/2010'; <br /> GO<br />© The Norns Laboratories, 2009<br />
    180. 180. SQL Server Encryption<br />Encryption is the process of obfuscating data by the use of a key or password. <br />This can make the data useless without the corresponding decryption key or password. <br />Encryption does not solve access control problems. However, it enhances security by limiting data loss even if access controls are bypassed. <br />You can use encryption in SQL Server for connections, data, and stored procedures. The following table contains more information about encryption in SQL Server.<br />© The Norns Laboratories, 2009<br />
    181. 181. Encryption Hierarchy<br />SQL Server encrypts data with a hierarchical encryption and key management infrastructure. <br />Each layer encrypts the layer below it by using a combination of certificates, asymmetric keys, and symmetric keys. <br />Asymmetric keys and symmetric keys can be stored outside of SQL Server in an Extensible Key Management (EKM) module.<br />© The Norns Laboratories, 2009<br />
    182. 182. How does encryption applies?<br />SQL Server provides the following mechanisms for encryption:<br />Transact-SQL functions<br />Asymmetric keys<br />Symmetric keys<br />Certificates<br />Transparent Data Encryption<br />© The Norns Laboratories, 2009<br />
    183. 183. Simple Symmetric Encryption<br />Creating a symmetric key<br /> CREATE SYMMETRIC KEY VitaliyFursov007 <br /> WITH ALGORITHM = AES_256 ENCRYPTION BY CERTIFICATE HiTech01; <br /> GO<br />© The Norns Laboratories, 2009<br />
    184. 184. Practice data encryption<br />Read, run, and understand script provided in file “Practice Data Encryption.sql”<br />© The Norns Laboratories, 2009<br />
    185. 185. Auditing<br />SQL Server provides several features that you can use for auditing activities and changes on your SQL Server system.<br />These features enable administrators to implement a defense-in-depth strategy that they can tailor to meet the specific security risks of their environment.<br />© The Norns Laboratories, 2009<br />
    186. 186. Understanding SQL Server Audit<br />Auditing an instance of SQL Server or a SQL Server database involves tracking and logging events that occur on the system. <br />Beginning in SQL Server 2008 Enterprise, you can also set up automatic auditing by using SQL Server Audit.<br />There are several levels of auditing for SQL Server, depending on government or standards requirements for your installation. SQL Server Audit provides the tools and processes you must have to enable, store, and view audits on various server and database objects.<br />© The Norns Laboratories, 2009<br />
    187. 187. SQL Server Audit Components<br />An audit is the combination of several elements into a single package for a specific group of server actions or database actions. <br />The components of SQL Server Audit combine to produce an output that is called an audit, just as a report definition combined with graphics and data elements produces a report.<br />SQL Server Audit uses Extended Events to help create an audit. <br />© The Norns Laboratories, 2009<br />
    188. 188. SQL Server Audit<br />The SQL Server Audit object collects a single instance of server or database-level actions and groups of actions to monitor. The audit is at the SQL Server instance level. You can have multiple audits per SQL Server instance.<br />When you define an audit, you specify the location for the output of the results. This is the audit destination. The audit is created in adisabled state, and does not automatically audit any actions. After the audit is enabled, the audit destination receives data from the audit.<br />© The Norns Laboratories, 2009<br />
    189. 189. Server Audit Specification<br />The Server Audit Specification object belongs to an audit. You can create one server audit specification per audit, because both are created at the SQL Server instance scope.<br />The server audit specification collects many server-level action groups raised by the Extended Events feature. You can include audit action groups in a server audit specification. Audit action groups are predefined groups of actions, which are atomic events occurring in the Database Engine. These actions are sent to the audit, which records them in the target.<br />© The Norns Laboratories, 2009<br />
    190. 190. Database Audit Specification<br />The Database Audit Specification object also belongs to a SQL Server audit. <br />You can create one database audit specification per SQL Server database per audit.<br />The database audit specification collects database-level audit actions raised by the Extended Events feature. <br />You can add either audit action groups or audit events to a database audit specification. <br />Audit events are the atomic actions that can be audited by the SQL Server engine. <br />Audit action groups are predefined groups of actions. Both are at the SQL Server database scope. These actions are sent to the audit, which records them in the target. <br />© The Norns Laboratories, 2009<br />
    191. 191. Audit Target<br />The results of an audit are sent to a target, which can be:<br />File<br />Windows Security event log<br />Windows Application event log. <br />Writing to the Security log is not available on Windows XP.<br />Logs must be reviewed and archived periodically to make sure that the target has sufficient space to write additional records.<br />© The Norns Laboratories, 2009<br />
    192. 192. Using SQL Server Audit<br />Create an audit and define the target.<br />Create either a server audit specification or database audit specification that maps to the audit. Enable the audit specification.<br />Enable the audit.<br />Read the audit events by using the Windows Event Viewer, Log File Viewer, or the fn_get_audit_file function.<br />© The Norns Laboratories, 2009<br />SELECT * FROM sys.fn_get_audit_file<br />('C: estAudit.sqlaudit',default,default);<br />GO<br />
    193. 193. Monitoring MicrosoftSQL Server<br />4 hrs.<br />© The Norns Laboratories, 2009<br />
    194. 194. Exam objectives<br />Collect performance data by using System Monitor .<br />Collect trace data by using SQL Server Profiler<br />Identify SQL Server service problems .<br />Identify concurrency problems .<br />Locate error information .<br />© The Norns Laboratories, 2009<br />
    195. 195. System Monitor<br /> System Monitor, commonly referred to as PerfMon, is a Microsoft Windows utility that allows to capture statistical information about the hardware environment, operating system, and any applications that expose properties and counters.<br />It uses a polling architecture to capture and log numeric data exposed by applications.<br />© The Norns Laboratories, 2009<br />
    196. 196. How to Start<br />To start Performance Monitor<br />Click Start, click in the Start Search box, type perfmon, and press ENTER.<br />In the navigation tree, expand Monitoring Tools, and then click Performance Monitor.<br />You can also use Performance Monitor to view real-time performance data on a remote computer.<br />Membership in the target computer's Performance Log Users group, or equivalent, is the minimum required to complete this procedure.<br />To connect to a remote computer with Performance Monitor<br />Start Performance Monitor.<br />In the navigation tree, right-click Reliability