What you will have to do is connect to the instance that has a mis-matched SID, and you'll have to recreate the login and specify an explicit SID. For instance, on the instance where you have the orphaned user and the following returns the user:
exec sp_change_users_login 'report';
go
Copy the SID from the column UserSID
. And if you already have an existing login that you want to preserve the name from on that instance, you can't. There is no way to ALTER LOGIN
and change the SID. So, you will need to drop the login and recreate it:
drop login YourLogin;
go
create login YourLogin
with
password = 'password',
check_policy = off, -- simple password and no check policy for example only
sid = 0xC26909...................;
go
Again, you will want to set the sid
parameter of CREATE LOGIN
to the UserSID
you retrieved from executing sp_change_users_login
with the report
.
Note: You will want to set the password on this/these replica(s) to the same so that you don't have a password mismatch between replicas.
I am assuming that your login(s) in question here are SQL Server logins, as this shouldn't be a problem for Windows Auth domain accounts because the SIDs should be the same on each instance.
You could also leverage contained databases here and have the database principal authenticate at the database level. That way you wouldn't have to worry about orphaned users.
Here is some documentation on this:
BOL reference on Management of Logins and Jobs for the Databases of an Availability Group
KB article on How to transfer logins and passwords between instances of SQL Server
Also, this should go without saying, but test this out in a development/QA environment to verify and ensure proper functionality before hitting production.
After a call with someone from Microsoft, I was told that there are no listeners on the Distributed availability level yet. So currently if we want to use DAG, you will have to change your DNS or application connection to connect to the secondary availability group.
Best Answer
Putting in a simple language :
For SQL Authentication, you should create the login with SAME SID and map it to your user database/s on all the nodes with proper permissions (follow the principle of least privileged). This script will help you or this SSMS addin from sqlskills.
For Windows Authentication, you should create a login and map it to your user database. Create/transfer the same login to other nodes.
A listener is a virtual interface and has nothing to do with logins or users.