Second in a series
of step-by- step
the protection of
2005 Nelson Ruest & Danielle Ruest
A Report by Resolutions Enterprises
Finally, you’ll have a data back-end that
provides data-management services to the
application and serves to persist data
modifications. This third layer is the DBA’s
responsibility because it’s where SQL Server
The end of downtime, period! This third layer can be in several forms
because there are various flavors of SQL
Job No. 1 for database administrators (DBAs) is making sure Server. Applications can rely on any of them,
including Microsoft SQL Server 2000 Desktop
that the data they’re responsible for is available all the time. Engine or the newer SQL Server 2005 Express
Edition, but enterprises should really rely
That’s because for anyone who implements database systems
on more comprehensive editions of either
with Microsoft SQL Server, be it 2000 or 2005, data availability SQL Server 2000 or 2005 because they provide
much more robust database services and
quickly becomes mission-critical. This is why DBAs must support high-availability solutions.
ensure that they have some form of protection in place for these Depending on the type of application you
create, you may need to rely on several sec-
systems, be it a rapid-recovery or a high-availability system. ondary services to make sure it is always up.
These can include services such as Active
They know that, should any outage occur, they will be held
Directory (AD), the dynamic host configura-
responsible and faced with the repair of the system. tion protocol (DHCP), the domain name sys-
tem (DNS), and, of course, a series of security
What if you could completely avoid downtime? What if you services, such as anti-virus and anti-spyware,
could go home knowing that the system would always be up.Well, to make sure the data is always protected.
Depending on the clientele for your solution,
if you’re a DBA and you want database peace of mind, read on. you may also need additional protection
mechanisms such as firewalls (see Figure 1).
Setting up Database Protection Mechanisms These secondary services don’t fall under the
If your organization wants to rely on database systems to operate, then they need to support responsibility of the DBA, but they may affect
you in the implementation of protection systems for the databases you manage. Depending on data availability.
the type of protection you want, you’ll usually have three options with which to work. If you Figure 1 illustrates that even the simplest
want total protection, you’ll use a combination of all three: application architecture can become
• Proper system understanding complicated, and complicated architecture is
• Service protection through built-in, high-availability services vulnerable by default. So, the first step in
• Data replication systems protecting this system is through the use of
The first option is really the first rule of any DBA; you can’t protect what you don’t know proper documentation, outlining each aspect
you have and Microsoft offers several tools to help at this level. The second relies on services and of the application’s configuration. Proper
functionalities that are both at the SQL Server and Windows Server 2003 level to implement data documentation will assist you in a rapid diag-
and service redundancy schemes. This can involve up to three different strategies: log shipping, nosis of issues as they arise and help you as
data mirroring and the Microsoft Cluster Service. (Note that data mirroring is only available for a DBA to understand the dependencies of the
SQL Server 2005.) The last approach relies on third-party tools and can help ensure that you applications you support.
have a readily available replica of your data so that you can bring it back up immediately in the In addition to proper documentation, you
event of any failure. may want to implement a monitoring system
Each of these is explained in detail here, and each applies to either SQL 2000 or SQL 2005 to proactively protect the data you manage.
(except data mirroring, which is exclusive to version 2005. Microsoft Operations Manager 2005 (MOM)
provides an excellent means of monitoring and
controlling all versions of SQL Server. MOM
Step 1: provides an operator console that lets admin-
istrators know the health of the system at all
Know Your SQL Server Architecture times. What’s better, you can create custom
Today’s modern database applications rely on an n-tier architecture. This means that consoles for DBAs listing only the items they’re
different application roles are played by different servers. For example, you will often have responsible for and giving them constant
a Web front-end to the application, which is the interface users rely on to access the applica- feedback on the status of their SQL servers.
tion’s functions, and is the presentation layer. Next, you may have a middleware tier that In addition, MOM’s framework lets soft-
provides application logic. This may or may not run on the same servers as the Web interface. ware developers create special management
packs for specific products. As part of its
new Common Engineering Criteria, Microsoft
ensures that new management packs are
delivered with each and every component of
the Windows Server System. This is why all
Step 2: Use Built-in,
versions of SQL from 2000 to 2005 include
MOM management packs. In fact, there
are two management packs for SQL Server, Now that you know more about your database systems, you can move on to
one from Microsoft and one from Quest Corp. the second step: using built-in features to protect the availability of the
Both include extended expert knowledge on data. These features come from both SQL Server itself and from the Windows
the health status of SQL and can go a long Server 2003 operating system. They include:
way toward making sure your SQL systems • Log Shipping
are monitored proactively. This lets you • Data Mirroring
solve issues before they become problems. • Microsoft Cluster Service (MSCS)
In addition, upon the generation of an Each strategy can be used to protect data at the server and the site level.
alert, MOM can even take action itself and The server level ensures that data is available on another server within the
run custom SQL scripts to further protect same site, while the site level ensures that data resides in another site to
the data. protect from site-level disasters. Each of the strategies relies on the availability
Another powerful tool that includes of a primary and secondary, or backup, SQL Server.
expert knowledge of SQL is the SQL Server
2000 Best Practice Analyzer (BPA). This Using Log Shipping
standalone tool analyzes your database In SQL Server 2000, you need to use the Enterprise Edition to support log
infrastructure and provides recommenda- shipping and all versions of SQL Server 2005, except for the Express Edition,
tions for improved availability. It identifies will support it.
configuration issues and will also indicate Log shipping relies on SQL Server Agent jobs to make periodic backups of
if your configuration is supported by the transaction logs on a production or primary server and send them to a
Microsoft. Microsoft is working on a version secondary or standby server. The secondary server can be located in the same
for SQL Server 2005, which should be site, providing server-level protection, or it can be in a remote site, providing
released later this fall. site-level protection. Then Agent jobs on the standby server will use the same
Typical n-tier Application Structure
Using Log Shipping to Protect Data
performs the switchover auto-
matically in the event of a failure
of the primary database. All
servers in a mirrored configura-
tion must be running one of three
editions of SQL Server 2005:
Workgroup, Standard or
Enterprise, with the exception of
the witness system, which can
rely on SQL Server 2005 Express.
Mirroring works by shipping
transaction logs from the produc-
tion to the mirrored database.
This means that the mirrored
database is not available until a
failover occurs, but it can run
other, non-mirrored databases
timeframe to load or restore the received transaction logs into a copy (see Figure 3).
of the production database. Of course, you need to begin by loading a You can run mirroring in either asynchronous or synchronous modes.
full backup of the production database on the standby server (see Both have their advantages and disadvantages. With asynchronous mir-
Figure 2). roring, you have better system performance, but you have the opportuni-
The advantage of log shipping is that it doesn’t have to be limited ty for data inconsistency, because the transactions on the main server are
to a single standby server; logs can be shipped to several standby committed without waiting to hear if they were transmitted to the mir-
servers both within and outside the production site. In addition, it ror. In synchronous mode, each transaction is mirrored to the standby
doesn’t have to focus on a single database; log shipping can protect database before being committed to the production database. This has
several different databases on the same production system, shipping the best data consistency, but it directly affects performance. The wit-
them to the same or different standby servers. Log shipping isn’t just a ness server is only required if you run synchronous mirroring because this
protection mechanism, it’s also a good tool to use to generate a is the only mode that
secondary, development copy of the production database. supports automatic failover. Using a witness will ensure that the data-
The disadvantage of log shipping is that there’s no automatic base is always available so long as at least two of the three server roles
failover capability. So in the event of a disaster, you have to manually are available.
activate the secondary copy of the database. Automatic failover of database mirroring requires the new SQL Native
At the very least, log shipping provides an excellent means of protec- Client because it supports automatic redirection to the mirrored
tion for the data itself and allows you to control the shipping schedule database. Database mirroring is designed to protect data at the data-
to further protect the system. base level and can work both within the same site and across a wide
area network (WAN) link. Clearly, the slower the connection is, the more
Database Mirroring impact it will have on performance if synchronous mirroring is used.
With the release of SQL Server 2005, Microsoft has tried to address The disadvantage of database mirroring is that it provides protection at
database availability through the use of data mirroring. Though it was the database and not the server level, so you must format each server
not available in the release to manufacturing (RTM) version of SQL with the same configurations. If they’re not exactly the same, failover
2005, it is now available through the release of SQL Server 2005 may not work properly.
Service Pack 1.
The major advantage of database mirroring is that, unlike log ship- Microsoft Cluster Service
ping, in the event of a disaster or the unavailability of the primary At the server level, Microsoft offers Microsoft Cluster Service (MSCS),
database, no manual action is required because a standby database which relies on shared storage to function. Multiple servers provide
located on a secondary server will be available almost immediately. redundant services, but are connected to the same storage system.
Like log shipping, database mirroring can be applied to one or several When the service fails on one server, it’s automatically picked up by
databases and sent to one or more standby servers. another that’s part of the cluster. The same cluster can host multiple
Database mirroring relies on two, optionally three, systems. The first instances of SQL Server because an MSCS cluster running on
is the primary production server. The second is the standby server. This Windows Server 2003 can have between one and eight nodes: two
server contains a copy of the databases you want to protect. The third nodes if the connectivity between the server and storage system is
is a potential witness system that monitors database availability and SCSI; up to eight if you use Fibre Channel or iSCSI.
FIGURE 4 Using MSCS to Protect Data
Remember that each node must have the capability to handle its
own services—as well as failover services for non-working nodes—
when you plan for server capacity. So if you’re running two instances of
SQL Server on a two-node cluster, each node must have enough RAM
and processing power to run the instance it’s responsible for, in addi-
tion to having enough RAM and processing power for the other
instance. This way, if there’s a problem with one node, the second will
be able to run its own instance and the failover instance from the
Also remember that MSCS uses the share-nothing cluster model; this
means that each instance of SQL Server must have exclusive access to a
portion of the shared disk. In fact, you need to have a shared disk for the
cluster service itself, and a different shared disk for each single instance
of SQL that you want to run on the cluster (see Figure 4).
While MSCS is a powerful tool to protect data availability, it tends to
be limited to single sites, mostly because it’s much more complicated to
build geographically dispersed clusters. This is because the cluster serv-
ice relies on a heartbeat to determine if failover is required. This heart-
beat is easier to maintain on a local area network (LAN) than on a WAN. rupted data. For automated failover, you can redirect Domain
Name System (DNS) entries to the failover server, making failover
completely transparent and avoiding the need for special clients.
Finally, if you’re looking at third-party tools, you’ll want a solution
Step 3: Protect Your that lets you perform disaster recovery testing in real time, with-
Databases with Replication out disrupting either users or replication between partner servers.
One tool, CA XOsoft’s Assured Recovery, provides this capability. No
Technology solution is complete without this testing capability.
While SQL Server 2005 includes its own replication mechanisms, it
Using the traditional mechanisms provided by Microsoft to protect does not compare with the capabilities of these third-party tools
both database and server availability makes a lot of sense, mostly because they are designed with high availability in mind. You can use
because they’re designed to work with and support SQL Server—but these replication and data assurance solutions on their own or you
they do have limitations. This is why it’s also a good idea to examine can combine them with your existing protection mechanisms. They
third-party solutions—such as those from CA XOsoft, Symantec, work on the principle of real-time replication, replication that can be
EMC, Double-Take Software and others. Replication technology offers intra-site, occurring within the same LAN or inter-site, occurring
the ability to have real-time data replication of your SQL servers. In between two sites over the WAN. They include bandwidth control so
addition, it’s possible to add application monitoring, automatic you don’t have to worry about losing your existing WAN throughput.
pushbutton failover and automatic failback for complete system pro- And, through their application monitoring capabilities, they can con-
tection both in the same site and at remote sites. Because of this, trol automatic failover—transparent to users—in the event of a local
replication tools can provide server-level or site-level protection. You or remote disaster.
can also add tools that protect data to the last consistent state, mak- The source of the data doesn’t matter—your database can be clus-
ing sure that when you recover from a failure, you will not recover cor- tered or not clustered. Using these tools, you can set up one of many
prepare duplicate servers and duplicate
services, but the beauty of virtual
machines is that once you have one, it’s
really easy to generate more. Once you
have what you need, then you can move
to apply the
solution to your production machines.
One other advantage of using virtual
machines, is that it doesn’t matter if
you make mistakes, just make sure you
use copies of the machines to test. That
way you can start over at any time.
Another advantage is that you can
make sure you get the procedures down
pat before you have to take any steps in
provide some of the very best protection
scenarios available anywhere. You can protect at the serv-
different high-availability scenarios (see Figure 5). er or the site level and do it all through the same process-
Each manufacturer lets you test their tools online in their own environments. If es. Try them, you’ll like them. The most important deci-
that doesn’t work for you, use the following procedure to set up your own test, using sion you’ll have to make is to determine which tool to
your own databases and server builds. use. Use the following guidelines to do so:
• The engine must be specifically designed to replicate
Set up a testing lab. To keep it simple, rely on virtual machines. Both Microsoft SQL Server data, both 2000 and 2005.
and VMware offer free copies of their virtualization technologies (see Resources). • The engine must provide application monitoring to
That means you can even do it on a workstation if you have to, but of course, it identify if or when a failover is required.
would be best to use a server-class machine. You’ll need to prepare a copy of the • The engine must include a data corruption protection
original servers you want to protect, and then create duplicate servers for each. to make sure you replicate only valid data.
You’ll also need key services such as AD and DNS to support the failover test. To • Finally, the engine must support online and sched-
make it easier to capture your existing SQL servers, use the Microsoft Virtual Server uled testing capabilities
Migration Tool (see Resources) to create virtual machine copies of the existing Do yourself a favor. Try these technologies today. You
physical servers. Because Microsoft virtual machines run on both Virtual Server and won’t want to go back. No more downtime, no more
VMware Server, this tool can be used with either one. irate user e-mails, no more management woes. E N D
Next, select the vendor you want to test and then download the trial version of the
software from the manufacturer’s Web site. You’ll need to run the tool’s installer to
Continue to the next page for online resources.
install the necessary components on your workstation.
Depending on the selected technology, you might also have to install the replica-
tion technology engine on the Master and Replica servers for each database server you About the Authors Danielle Ruest and Nelson Ruest, MCSE,
want to protect. MCT, Microsoft MVP, are IT professionals specializing in systems
administration, migration planning, software management
Next, create a replication and failover scenario. Make sure you set it up to provide and architecture design. They are authors of multiple
automatic failover. This might imply relying on a DNS redirection. books, notably two books published by McGraw-Hill Osborne,
“Windows Server 2003: Best Practices for Enterprise
Now, you’re ready to test the failover, either automatically or manually. When you
Deployments”, ISBN 0-07-222343-X and “Windows Server
fail over, the replica server becomes the holder of live data. Make sure the tool allows 2003 Pocket Administrator”, ISBN 0-07-222977-2 as well as
you to run a ”backward” scenario to ensure that the data changes are replicated back to “Preparing for .NET Enterprise Technologies”, published by
Addison Wesley, ISBN 0-201-73487-7. They have extensive
the original production server. Repeat as often as you need to to make sure you’re satis- experience in high availability and systems recovery.
fied with the results. You should also test data failures to make sure you recover from
Then, when you’re completely satisfied that everything works as, move to acquire a
license for the product and install it on your production systems.
It’s a simple test. The longest part will be the first step because it takes time to
Microsoft SQL Server: www.microsoft.com/sql/default.mspx
Microsoft Visio 2003 Connector for Microsoft Baseline Security Analyzer: www.microsoft.com/technet/security/tools/mbsavisio.mspx
Microsoft Operations Manager 2005: www.microsoft.com/mom/default.mspx
MOM Management Pack for SQL Server: www.microsoft.com/technet/prodtechnol/mom/mom2005/catalog.aspx
The SQL 2000 Best Practices Analyzer: www.microsoft.com/downloads/details.aspx?FamilyID=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
SQL Server 2005 Service Pack 1: www.microsoft.com/downloads/details.aspx?familyid=cb6c71ea-d649-47ff-9176-e7cac58fd4bc&displaylang=en
Microsoft Virtual Server 2005: www.microsoft.com/windowsserversystem/virtualserver/default.mspx
VMware Server: www.vmware.com/products/server/
Microsoft Virtual Server Migration Toolkit: www.microsoft.com/windowsserversystem/virtualserver/evaluation/vsmt.mspx
CA XOsoft Solutions site: www.XOsoft.com/products/index.shtml
CA XOsoft Download site: www.XOsoft.com/download/index.shtml
EMC RepliStor Web site: http://software.emc.com/products/software_az/replistor.htm
Symantec Veritas Replication Exec Web Site: www.symantec.com/Products/enterprise?c=prodinfo&refId=50
Double-Take Software Web Site: www.nsisoftware.com/default.aspx
Build Your Own SQL Server Test Bed
Relying on virtual machine (VM) technology • Service Accounts: Create these in Active Server 2003 installation CD. This will let you
to create virtual environments is a great idea. Directory. One account is required for SQL; oth- depersonalize this machine so that you can
You can use the following procedure to create ers may be required to test other technologies make as many copies as you need without hav-
your own virtual test bed. You can rely on either such as clustering. Like all service accounts, ing to go through the rebuild process over and
VMware Server or Microsoft Virtual Server R2 to they need the following characteristics: over again.
provide virtualization services, but keep in mind • Complex password • Make a folder on the C: drive and call it
that the procedures will differ slightly from one • Password never expires SysPrep (C:SysPrep).
to the other. • User cannot change password • To run SysPrep, you need four files from the
Note: Because several licenses of Windows • On the local machines they need: Deploy.CAB file: Factory.exe, SysPrep.exe,
Server and Windows XP are required in this test • The “Log on as a service” access right SetupMgr.exe, SetupCl.exe. Copy them to the
bed, it is best to obtain a subscription to either • The “Allow log on locally” right SysPrep folder.
Microsoft TechNet (http://technet.microsoft • The “Act as part of the operating system • Launch SetupMgr.exe and run through the
.com/en-us/subscriptions/default.aspx) or right wizard to create a SysPrep.inf file. Cancel the
Microsoft MSDN (http://msdn.microsoft • To be a member of the local administrators Setup Manager once the file is ready.
.com/subscriptions/) before proceeding. Each If your production environment uses different If your server is ready, make a copy of the
gives you access to 10 licenses of the operating values for these accounts, you should make the files and folder that make up the VM. This will
systems, as well as licenses of SQL Server. appropriate modifications. give you access to the original machine without
In order to create your test bed, you’ll need To create the test bed, follow these steps: having to go through the SysPrep process.
machines simulating the following roles: • Locate an appropriate host machine and • Use the new copied machine. Start up
• Domain Controller (DC): The DC role will install the virtualization technology of your Windows Server and then go to the SysPrep
support integrated authentication scenarios. choice. Make sure you have enough disk space folder to launch SysPrep.exe.
• Primary SQL Server: A machine running and RAM on the physical host to run more than • Leave the default values enabled and click
Windows Server 2003 Enterprise Edition, which one virtual machine. Each VM runs at about on the Reseal button. This will depersonalize the
will let you support server clustering, if needed. 256MB of RAM, so a physical host with about server image and prepare it for reproduction.
• Secondary SQL Server: A second 2GB should work. In addition, VMs tend to take • Make sure you always make copies of this
machine running Windows Server 2003 up at least 4GB of disk space. If you decide to machine before launching it again.
Enterprise Edition. use your own workstation as the host, use an Once the SysPrepped machine is created,
• Workstation: Machine running Windows XP. external disk to increase performance. make a copy of the folder that contains its files.
This workstation can act as a management • Next, prepare one new machine using Rename the new folder as well as the files that
machine, as well as a testing machine to test Windows Server 2003 Enterprise Edition. Add all make it up. Name them Domain Controller and
access to the SQL service. of the appropriate service packs and hotfixes. add this machine to the virtualization interface.
• User Accounts: These will allow you to test Next, you can use the SysPrep utility found in You’ll need to make sure the configuration is
access to the SQL service. the Deploy.CAB file located on the Windows properly set so you can launch this new machine.
• Launch Windows Server. Modify the TCP/IP
values to give it a static address. Give it its own
IP address as the DNS server. Domain Controllers
need to point to themselves as DNS servers.
• Next, use Manage Your Server to add the
Domain Controller role. Use the following values:
Domain Controller in a New Forest.
Domain Name: Testbed.Local
NetBIOS Name: TESTBED
When the DNS error displays, select the
option to install and configure DNS on this serv-
er. You’ll need access to the Windows Server
installation files. Accept all defaults from then
Once the Domain Controller has been creat-
ed, use Active Directory Users and Computers to
create the service account. Call it SQLService or
use your own production name. This is a differ-
ent directory, so using the same account name
has no impact on your network.
• Next, prepare two new machines running
by copying the SysPrepped machine. They
should have the following characteristics:
Machine name: SQLOne and SQLTwo
Machine location: C:VMsMachineName
Machine files: machinename.xxx and
Network Cards: 2
Disks: 3 (System, Data and
• Install SQL Server according to your own
best practices on each machine.
• Use a backup of one of your production
databases to populate the two servers with
• Create the client machine using the same
approach as the initial build of the SysPrep
server. Make a copy and install the SQL Client
utilities on the new workstation. This will let
you test access to the data.
• Before you perform any test, copy the
entire test bed. This will allow you to keep a
pristine copy and also allow you to destroy any
failed tests without any worries.
• Now you’re ready to proceed. Download
whichever solution you want to try and run it
through its paces. Good luck!