This document discusses partially contained databases in SQL Server. It begins with an introduction to partially contained databases and their benefits for improved dependency management and transition between environments. It then covers features that are contained within or outside the application model, how to enable partial containment on a database, authentication of contained users, and the consistent collation model. It demonstrates how to identify containment and threats against partially contained databases. Resources for further information are provided, with an invitation for questions.

1. PARTIALLY CONTAINED DATABASES
Steve Verschaeve

2. ABOUT ME
• Sr. SQL Server Consultant at KOHERA
• Webmaster & board member at SQLUG.BE
• Co-organiser at SQLServerDays.be
• Microsoft Extended Expert Team member
• MCP, MCTS, MCITP, MCT
• steve@sqlug.be
• Blog.steveverschaeve.be
• @sql_lazywriter

3. AGENDA
• What is a (partially) contained database
• Features within/outside Application Model
• Authentication
• Collation
• Identifying database containment
• Threats against partially contained databases
• Demos
• Resources
• Q&A

4. WHAT IS A (PARTIALLY) CONTAINED DATABASE
• Scenario: Deploy to production; HA & DR
DB DB
Backup/Copy/Restore
Instance A Instance B
?
Logins
Linked Servers
Agent jobs
…

5. WHAT IS A (PARTIALLY) CONTAINED DATABASE
• Improved dependency management
• Include all settings + metadata
• No login authentication at database engine level
• Isolated from the database engine
• Improved transition between environments
• Not yet fully contained
• Moving to SQL Azure
• Fully contained
• Uncontained features disabled
by default
• All SQL Server editions

6. FEATURES WITHIN/OUTSIDE APPLICATION MODEL
Within the Application Model [1] Outside the Application Model [2]
Contained Non-Contained
System Views Catalog Views
sys.indexes, sys.types, … sys.servers, sys.server_role_members…
Data Types T-SQL
All data types excluding CLR data types Backup, Restore, Set Ansi_Nulls, …
Dynamic Management Views Built-in Functions
sys.dm_db_uncontained_entities @@servername, loginproperty, …
T-SQL System Functions
Having, Rollback Transaction, … sys.fn_get_sql, sys.fn_cdc_get_min_lsn, ...
Built-in Functions Other
@@rowcount, Getdate, IsNull, … Linked servers, Full-Text Search, Synonyms, …
System Stored Procedures Replication, Change data capture, Change
sp_helptext, sp_columns, sp_addrole, … tracking
DBCC Statements
CHECKDB, SHOW_STATISTICS, …

7. ENABLE PARTIALLY CONTAINED DATABASES
• Instance level
EXEC sys.sp_configure N’contained database authentication’,N’1’;
GO
• Database level
CREATE DATABASE [PartialCDB] CONTAINMENT = PARTIAL [NONE];
GO
• New syntax
ALTER DATABASE CURRENT ...

8. DEMO
Enable & Convert non-contained DB to Partial-CDB

9. AUTHENTICATION
• Contained users connect without server level authenticating
• Contained SQL User with password syntax
CREATE USER Giselle WITH PASSWORD = ‘xyz’;
GO
• Multiple users with same name for different
databases
• Normal users tied to login coexist with
contained users in same database [1]

10. DEMO
• Authentication

11. COLLATION
• Two types of collation: DATABASE_DEFAULT & CATALOG_DEFAULT
• New catalog collation Latin1_General_100_CI_AS_WS_KS
• Syntax
CREATE TABLE T1 (Name nvarchar(max) COLLATE CATALOG_DEFAULT);
GO
• Same collation for all contained databases and instances
• Cannot be changed

12. COLLATION
Item Non-Contained Database Contained Database
User data (default) DATABASE_DEFAULT DATABASE_DEFAULT
Temp Data (default) TempDB Collation DATABASE_DEFAULT
Metadata DATABASE_DEFAULT / CATALOG_DEFAULT CATALOG_DEFAULT
Temp Metadata TempDB Collation CATALOG_DEFAULT
Variables Instance Collation CATALOG_DEFAULT
Goto Labels Instance Collation CATALOG_DEFAULT
Cursor Names Instance Collation CATALOG_DEFAULT

13. DEMO
• Collation

14. IDENTIFYING DATABASE CONTAINMENT
• Sys.dm_db_uncontained_entities
• View
• Potentially uncontained entities
• Static
• Cdb_uncontained_usage
• Extended Event
• When uncontained entity is detected and identified at run time
• Dynamic

15. DEMO
• Sys.dm_db_uncontained_entities
• Cdb_uncontained_usage

16. THREATS AGAINST PART. CONTAINED DATABASES
• Who can change containment settings
• Users in a converted DB can create new users with password
• Prevent a DB from being contained
• Prevent connections from users with passwords
• No rechecked passwords
• Users with password cannot use Kerberos authentication
• Offline dictionary attack
• Auto_Close database property
http://specialops.sqlpass.org

17. RESOURCES
• SQL Server v.Next(Denali): Contained Databases (Aaron Bertrand)
• SQL Server 2012: Sometimes Partial Is Preferable (Denny Cherry)
• Partially Contained Databases (TechNet)
• SQL Server 2012 Partially Contained Databases (Steve Verschaeve)
• Contained Database Authentication in depth (Lyudmila Fokina)

18. Q&A

19. THANK YOU
steve@sqlug.be
Blog.steveverschaeve.be
@sql_lazywriter

20. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.