I've got an Availability Group going and need to map some logins to database users on an active secondary replica. (Node2) Unfortunately, when I try to exec sp_change_users_login
or alter user with login
, I get an error message telling me the database is read-only. That's no surprise, but I'm not sure how to fix it. I tried failing over last night, fixing the logins on Node2, and then failing back to Node1, but then the login/user mappings just end up wrong on Node1. When I fix those, Node2's logins get out of whack again.
This is a production system, so I can't do anything I want until later tonight. I didn't run into this problem in our test lab. The difference may be that I created the logins before joining the databases before, whereas this time I tried to create them afterwards, and failed to document the process correctly. Taking the AG down and rebuilding it is something I'd rather avoid if I can.
The problem makes sense to me, I just don't really know how to fix it.
Best Answer
What you will have to do is connect to the instance that has a mis-matched SID, and you'll have to recreate the login and specify an explicit SID. For instance, on the instance where you have the orphaned user and the following returns the user:
Copy the SID from the column
UserSID
. And if you already have an existing login that you want to preserve the name from on that instance, you can't. There is no way toALTER LOGIN
and change the SID. So, you will need to drop the login and recreate it:Again, you will want to set the
sid
parameter ofCREATE LOGIN
to theUserSID
you retrieved from executingsp_change_users_login
with thereport
.Note: You will want to set the password on this/these replica(s) to the same so that you don't have a password mismatch between replicas.
I am assuming that your login(s) in question here are SQL Server logins, as this shouldn't be a problem for Windows Auth domain accounts because the SIDs should be the same on each instance.
You could also leverage contained databases here and have the database principal authenticate at the database level. That way you wouldn't have to worry about orphaned users.
Here is some documentation on this:
BOL reference on Management of Logins and Jobs for the Databases of an Availability Group
KB article on How to transfer logins and passwords between instances of SQL Server
Also, this should go without saying, but test this out in a development/QA environment to verify and ensure proper functionality before hitting production.