SQLServerCentral Hosts AdventureWorks on Azure

The guys at SqlServerCentral have a great site with lots of resources about the SQL world. And today they made available the “AdventureWorks” sample database online, hosted on Azure, free for everyone to try it out.

It’s a great way to test and get more knowledge on this “database-in-the-cloud” model. Here is the launch article: http://www.sqlservercentral.com/articles/Adventureworks/99290/

And here a step-by-step guide to connect to the actual database: http://www.sqlservercentral.com/articles/Adventureworks/99291/

I could not try it yet, but will do it in a short time and come back to tell the results. Meanwhile, go ahead and check the news!

PS: guide on windowsazure.com on how to connect: http://www.windowsazure.com/en-us/manage/services/sql-databases/how-to-manage-a-sqldb/ (includes a link to SSMS 2012 express download).

cya,

SQL: Difference between Collations

Collations define the order that string data will be stored and how they will be compared on join/where conditions. If you try to compare two columns with different collations you may received the below error message. This may happen when using temporary tables or different databases in the comparison.

Msg 468, Level 16, State 9, Line 14
Cannot resolve the collation conflict between
"SQL_Latin1_General_CP1_CI_AS" and "Latin1_General_CI_AS"
in the equal to operation.

Collations that start with “SQL_” are the older ones and behave in a “SQL2000 way”, this means that it does not follow Windows rules for Unicode strings. Collations without the “SQL_” in the name are newer, compatible with windows, and follows the new rules of Unicode strings.

Because of this difference, the newer collations will be able to do an Index Seek on some specific conditions that SQL collations would cause an Index Scan. If your system uses string comparisons heavily, then this should be taken in consideration when creating the database.

See this great article on the differences and examples with deep analysis (Yeah it is really good!).

http://www.olcot.co.uk/sql-blogs/revised-difference-between-collation-sql_latin1_general_cp1_ci_as-and-latin1_general_ci_as

I’m out of time today, so go ahead and read the article. Research the web. Read more about this topic. Don’t take my word for granted, I’m researching and learning all the time, this blog is just to put together all the stuff I learn in a simpler and meaningful way. Do your homework too! =D

cya!

SQL Server security: Managing logins using stored procedures.

If you are a concerned DBA, you know that the rule of “least privilege” must be followed at all times. Even if something is not perfect right now, this is the direction to go and every step in that direction is worth it.

But suppose that you need to share some administrative tasks with more people, what do you do? Give them SA rights is out of the question, as only the members of the DBA team should have it. So you must try to give only the strict necessary rights to do exactly what they should do. And if this task is “manage SQL logins for a application” it would mean give SecurityAdmin server-wide role to someone. No sir, this role is too powerfull as it allows it’s members to change almost ALL logins on the instance, and not just the ones specifics to some application.

Therefore we must build some logic to enable this, and as this situation is not so common I thought of building one small tutorial to make it work. And it works: a simple non-privileged user is capable of managing specific server logins sucessfully, without risks of compromising other logins.*

For this recipe you will need:

• One non-privileged User
• One Login that will have the SecurityAdmin server role
• Some procedures
• A few and rare “grant” type
• Any database to hold the procedures. If it is exclusive to administrative things, the better.

Start by creating the Login that will have the SecurityAdmin right. Not even you needs to know it’s password, because it will only be impersonated and never used by anyone. Then create the non-privileged-User, map it to the database where your procedures will be, and issue this command:

USE MASTER
go
grant impersonate on login::SecurityLogin to SimpleUser

Then create the required procedures on the chosen database. Put whatever logic you need to prevent that the User has any possibility of messing with logins that you do not want him to touch. Grant only execute on these procedures to SimpleUser. Remember to include “EXECUTE AS LOGIN = ” to change the execution context before accessing administrative tables or functions (the more usual “execute as user =” wont work, this is the trick). Sample code is below, tailor it to your needs - but if you want to share it please include it’s source

*Of course the User could impersonate the SecurityAdmin login, but only if he manages to see the sourcecode of the procedure or list the login in the first place. Two things that you want to make sure he can NOT do. And with this approach, he will not be able to see anything on SSMS, he will only ever see what you show him though the procedures (Oh, and please include SQL-injection protection too, I’m in a hurry over here).

create procedure [dbo].[DBA_ListLogins]
as
EXECUTE AS LOGIN = 'SecurityAdmin_Login'
select distinct(spri.name), is_disabled
from master.sys.server_principals spri
where spri.sid > 100
and spri.name not like '##%'
and spri.name not like 'Security%'
and spri.name not like 'DBA%'
order by name
REVERT
go

create procedure [dbo].[DBA_DisableLogin] (@Login varchar(50))
as
begin
if (@Login = 'DBA') or (@Login = 'SA')
   or (@Login = 'SecurityAdmin_Login')
	raiserror ('ERROR - Unauthorized Operation.',10,1)
else
	EXECUTE AS login = 'SecurityAdmin_Login'
	declare @sql nvarchar(100)
	set @sql = N'ALTER LOGIN [' + @Login + N'] DISABLE'
	exec sp_executesql @sql
	REVERT
end
go

and now the error message that you may find if you forget to grant that “impersonate”:

Cannot execute as the server principal because the principal  
does not exist, this type of principal cannot be impersonated, 
or you do not have permission.

Update: included the brackets to avoid SQL Injection.

SSIS: Integration Packages on 64bits

And so I’m back to designing SSIS packages. Its a fun activity really. SQL Server Integration Services is a really powerfull platform to move data around. It can read anything and write anywhere (and even if it can’t directly access something you can always call some 3rd party program to do it – but this is not the point of this post).

Back in SQL 2005 days I used to develop in a 32 bits machine, and the servers were also 32 bits. Not anymore: now everything is 64 bits. Well, except for Office. Office doesn’t like 64 bits (and neither does some Oracle clients, but again, not the point now). If you try to use an Excel connection it will work just fine while you design the package because BIDS run as a 32bits program at design-time, but at run-time it runs as 64bits and this may cause some weird errors when reading/writing to excel files.

There are some workarounds to make it work (in 2008R2 you have a flag inside the project/job properties named “Run64bitRuntime” / “Use 32 bit runtime”), but even doing this you may have some trouble. If you are just writing an output file the easiest and safest way would be to use a Flat File Destination and save the contents as a .CSV file.

Here is a cryptic message you may receive when using an Excel connection when you try to run your package:

[Excel Destination [62]] Error: SSIS Error Code
DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER.
The AcquireConnection method call to the connection manager
"Excel Connection Manager" failed with error code 0xC00F9304.
There may be error messages posted before this with more
information on why the AcquireConnection method call failed.

And here some more links on this subject:

• No 64 bit driver for Excel in SSIS
• Running Package in 32bit RunTime of SSIS

SQL and Linked-Servers: The SCHEMA LOCK permission was denied on the object

While debugging some legacy applications, I’ve come to this error. The exact message is:

Msg 229, Level 14, State 71,
Procedure sp_getschemalock, Line 1
The SCHEMA LOCK permission was denied on the
object 'X', database 'Y', schema 'dbo'.

I suspected some permission related issue (that is very common with linked-servers). A quick search later confirmed it, but as documentation is pretty rare on this issue I decided to post this information to help someone in the future.

Usually the best practice for linked-servers is to map every login used on both sides to make sure all is secure. But on real world of already deployed systems the reality is that things are (almost) never how it should be.

The fact that caused this strange message is the option to map the remote logins “using the login’s current security context” on the linked-server configuration page. If the same login used on the first side of the link does exist on the second but doesn’t have access to the correct object, this strange schema error will appear. To fix it simply give the required permission on the object at the second side of the linked-server.

I know, I know, this message should not appear on a simple select, for example. But it does. And this fixes it. Life moves on.

cya!

SQL SERVER - Fix : Error 14274: Cannot add, update, or delete a job (or its steps or schedules) that originated from an MSX server. The job was not saved.

Reblogged from SQL Server Journey with SQL Authority:

To fix the error which occurs after the Windows server name been changed, when trying to update or delete the jobs previously created in a SQL Server 2000 instance, or attaching msdb database.

Error 14274: Cannot add, update, or delete a job (or its steps or schedules) that originated from an MSX server. The job was not saved.

Reason:
SQL Server 2000 supports multi-instances, the originating_server field contains the instance name in the format 'server\instance'.

Read more… 217 more words

While dealing with older SQL versions sometimes you stumble upon some not-so-known error, and have to find a simple way to fix it. Pinal Dave points us to a simple solution if you have this error when maintaining some SQL Agent jobs, particularly if your server name was changed during its lifetime. To fix this error you gotta update either the @@servername or the originating_server column on msbd..sysjobs table. cya!

“Alter User with login” equivalent in SQL2000

By now, most DBA’s must be familiar with “Alter user with login” command from SQL 2005 SP2 and above. But when only SQL 2000 existed we had to do a lot more things manualy. Migrating logins/users has always been a pain, but at least MS had a few built-in procedures to make our life easier.

The equivalent of “Alter user” in 2000 is “sp_change_users_login”. Bellow you have an exemple extracted from this great post.

--Lists usernames that are not mapped to logins
exec sp_change_users_login 'report'
--Map db username to server login if names match
exec sp_change_users_login 'update_one', 'username'
--Maps db username to server login if names match,
--If no login exists, it creates one with the password given.
exec sp_change_users_login 'auto_fix', 'username' , 'password'

cya!

Windows Server Administration Tools for Windows 7

Have you ever wanted to open DSA.MSC on newer Windows installations and got angry because it isn’t there anymore? In this link you can download it.

http://www.microsoft.com/en-us/download/details.aspx?id=7887

I will test to see if this same package works for Windows 2008 R2, because the lack of this snap-in really drives me mad sometimes.

cya!

SQL Reporting Services failed to start

This works. A great find in the all-knowing web. I had a problem where a RS would not upgrade to SP4 because the installer could not start the RS service. This link shows a way to fix it.

The SQL Server Reporting Services (MSSQLSERVER) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion

Quoting the original site:

Had an issue recently where we couldn’t get the “SQL Server Reporting Services (MSSQLSERVER)” service to start.

In the end it was quite a simple fix, we added the below registry key.

Open Reg Edit
Navigate to the following registry key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control”
Right-click Control, and create a new DWORD with the name “ServicesPipeTimeout”, and then press ENTER.
Right-click “ServicesPipeTimeout”, and then click Modify.
Select Decimal, and type 60000 (this will allow the service 1 minute to start)
Restart Machine
This sorted it for us.

Missing SSMS shortcut on Start menu

If for any unfathomable reason you find that the SQL Server Management Studio is missing from your start menu, don’t be afraid! It’s easy as creating a new shortcut on the desktop and moving it back – you just have to know the location of the correct .exe file. And the location of where to move it to. This second part can be a bit tricky with the latest versions of windows (i can’t even imagine how Windows 8 Server will be without the start menu), so let’s make life a little easier and share the default file locations, shall we?

SSMS executable:
"C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"

Start menu for "All Users" location (on Windows 2008 R2):
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft SQL Server 2008 R2

Start menu for specific user:
C:\Users\_USER_\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

If you put the shortcut on YOUR start menu, it will go to your user folder. Please be kind and put it in the “All Users” start menu location. Why is it located on c:\ProgramData instead of c:\users\AllUsers ? Well, thats one of the unfathomable things, like the reason that the original shortcut is missing in the first place.

cya!