SQL Server Availability Groups – How to Manage Logins

availability-groupssql serversql server 2014sql-server-2012

I am new to Always On Availability Groups and I am little bit confused with creation of logins.

Let's assume an environment NODE1(Primary) & NODE2(secondary) & NODE3(Stand by) & VAEWI(Listener).

I need to create a SQL authentication login.

For this, I assume I need to create it by connecting to listener that which will sync in all of the nodes.
I need to create a Windows authentication.

For this I think, as all of the nodes are window-clustered before creating the availability group. So, we need to create a Windows user 1st in primary node and then create a Windows authentication by connecting to the listener.

Can anyone let me know if my assumptions are true?

Best Answer

Putting in a simple language :

A login gives you access to server.

A user gives you access to database.

A login must map a user so that you can access the database.

For SQL Authentication, you should create the login with SAME SID and map it to your user database/s on all the nodes with proper permissions (follow the principle of least privileged). This script will help you or this SSMS addin from sqlskills.

For Windows Authentication, you should create a login and map it to your user database. Create/transfer the same login to other nodes.

A listener is a virtual interface and has nothing to do with logins or users.

Related Solutions

Sql-server – How to link users and logins in an Availability Group

What you will have to do is connect to the instance that has a mis-matched SID, and you'll have to recreate the login and specify an explicit SID. For instance, on the instance where you have the orphaned user and the following returns the user:

exec sp_change_users_login 'report';
go

Copy the SID from the column UserSID. And if you already have an existing login that you want to preserve the name from on that instance, you can't. There is no way to ALTER LOGIN and change the SID. So, you will need to drop the login and recreate it:

drop login YourLogin;
go

create login YourLogin
with
    password = 'password',
    check_policy = off,     -- simple password and no check policy for example only
    sid = 0xC26909...................;
go

Again, you will want to set the sid parameter of CREATE LOGIN to the UserSID you retrieved from executing sp_change_users_login with the report.

Note: You will want to set the password on this/these replica(s) to the same so that you don't have a password mismatch between replicas.

I am assuming that your login(s) in question here are SQL Server logins, as this shouldn't be a problem for Windows Auth domain accounts because the SIDs should be the same on each instance.

You could also leverage contained databases here and have the database principal authenticate at the database level. That way you wouldn't have to worry about orphaned users.

Here is some documentation on this:
BOL reference on Management of Logins and Jobs for the Databases of an Availability Group
KB article on How to transfer logins and passwords between instances of SQL Server

Also, this should go without saying, but test this out in a development/QA environment to verify and ensure proper functionality before hitting production.

Distributed Availability Groups & Listeners in SQL Server

After a call with someone from Microsoft, I was told that there are no listeners on the Distributed availability level yet. So currently if we want to use DAG, you will have to change your DNS or application connection to connect to the secondary availability group.

Best Answer

Related Solutions

Sql-server – How to link users and logins in an Availability Group

Distributed Availability Groups & Listeners in SQL Server

Related Question