SQL – How to transfer logins and passwords between SQL servers

When migrating databases to another server it is important to transfer the login information as well, otherwise it will have to be recreated which may cause issues if the database password is hardcoded somewhere in an application .ini or .config file.  Transferring also helps when the IT team that installed that third party database is no longer around and did not document the password information.

In order to implement this run the following script on your source SQL server.

USE master
GO
IF OBJECT_ID (‘sp_hexadecimal’) IS NOT NULL
DROP PROCEDURE sp_hexadecimal
GO
CREATE PROCEDURE sp_hexadecimal
@binvalue varbinary(256),
@hexvalue varchar (514) OUTPUT
AS
DECLARE @charvalue varchar (514)
DECLARE @i int
DECLARE @length int
DECLARE @hexstring char(16)
SELECT @charvalue = ‘0x’
SELECT @i = 1
SELECT @length = DATALENGTH (@binvalue)
SELECT @hexstring = ‘0123456789ABCDEF’
WHILE (@i <= @length)
BEGIN
DECLARE @tempint int
DECLARE @firstint int
DECLARE @secondint int
SELECT @tempint = CONVERT(int, SUBSTRING(@binvalue,@i,1))
SELECT @firstint = FLOOR(@tempint/16)
SELECT @secondint = @tempint – (@firstint*16)
SELECT @charvalue = @charvalue +
SUBSTRING(@hexstring, @firstint+1, 1) +
SUBSTRING(@hexstring, @secondint+1, 1)
SELECT @i = @i + 1
END

SELECT @hexvalue = @charvalue
GO

IF OBJECT_ID (‘sp_help_revlogin’) IS NOT NULL
DROP PROCEDURE sp_help_revlogin
GO
CREATE PROCEDURE sp_help_revlogin @login_name sysname = NULL AS
DECLARE @name sysname
DECLARE @type varchar (1)
DECLARE @hasaccess int
DECLARE @denylogin int
DECLARE @is_disabled int
DECLARE @PWD_varbinary varbinary (256)
DECLARE @PWD_string varchar (514)
DECLARE @SID_varbinary varbinary (85)
DECLARE @SID_string varchar (514)
DECLARE @tmpstr varchar (1024)
DECLARE @is_policy_checked varchar (3)
DECLARE @is_expiration_checked varchar (3)

DECLARE @defaultdb sysname

IF (@login_name IS NULL)
DECLARE login_curs CURSOR FOR

SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM
sys.server_principals p LEFT JOIN sys.syslogins l
ON ( l.name = p.name ) WHERE p.type IN ( ‘S’, ‘G’, ‘U’ ) AND p.name <> ‘sa’
ELSE
DECLARE login_curs CURSOR FOR
SELECT p.sid, p.name, p.type, p.is_disabled, p.default_database_name, l.hasaccess, l.denylogin FROM
sys.server_principals p LEFT JOIN sys.syslogins l
ON ( l.name = p.name ) WHERE p.type IN ( ‘S’, ‘G’, ‘U’ ) AND p.name = @login_name
OPEN login_curs

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
IF (@@fetch_status = -1)
BEGIN
PRINT ‘No login(s) found.’
CLOSE login_curs
DEALLOCATE login_curs
RETURN -1
END
SET @tmpstr = ‘/* sp_help_revlogin script ‘
PRINT @tmpstr
SET @tmpstr = ‘** Generated ‘ + CONVERT (varchar, GETDATE()) + ‘ on ‘ + @@SERVERNAME + ‘ */’
PRINT @tmpstr
PRINT ”
WHILE (@@fetch_status <> -1)
BEGIN
IF (@@fetch_status <> -2)
BEGIN
PRINT ”
SET @tmpstr = ‘– Login: ‘ + @name
PRINT @tmpstr
IF (@type IN ( ‘G’, ‘U’))
BEGIN — NT authenticated account/group

SET @tmpstr = ‘CREATE LOGIN ‘ + QUOTENAME( @name ) + ‘ FROM WINDOWS WITH DEFAULT_DATABASE = [‘ + @defaultdb + ‘]’
END
ELSE BEGIN — SQL Server authentication
— obtain password and sid
SET @PWD_varbinary = CAST( LOGINPROPERTY( @name, ‘PasswordHash’ ) AS varbinary (256) )
EXEC sp_hexadecimal @PWD_varbinary, @PWD_string OUT
EXEC sp_hexadecimal @SID_varbinary,@SID_string OUT

— obtain password policy state
SELECT @is_policy_checked = CASE is_policy_checked WHEN 1 THEN ‘ON’ WHEN 0 THEN ‘OFF’ ELSE NULL END FROM sys.sql_logins WHERE name = @name
SELECT @is_expiration_checked = CASE is_expiration_checked WHEN 1 THEN ‘ON’ WHEN 0 THEN ‘OFF’ ELSE NULL END FROM sys.sql_logins WHERE name = @name

SET @tmpstr = ‘CREATE LOGIN ‘ + QUOTENAME( @name ) + ‘ WITH PASSWORD = ‘ + @PWD_string + ‘ HASHED, SID = ‘ + @SID_string + ‘, DEFAULT_DATABASE = [‘ + @defaultdb + ‘]’

IF ( @is_policy_checked IS NOT NULL )
BEGIN
SET @tmpstr = @tmpstr + ‘, CHECK_POLICY = ‘ + @is_policy_checked
END
IF ( @is_expiration_checked IS NOT NULL )
BEGIN
SET @tmpstr = @tmpstr + ‘, CHECK_EXPIRATION = ‘ + @is_expiration_checked
END
END
IF (@denylogin = 1)
BEGIN — login is denied access
SET @tmpstr = @tmpstr + ‘; DENY CONNECT SQL TO ‘ + QUOTENAME( @name )
END
ELSE IF (@hasaccess = 0)
BEGIN — login exists but does not have access
SET @tmpstr = @tmpstr + ‘; REVOKE CONNECT SQL TO ‘ + QUOTENAME( @name )
END
IF (@is_disabled = 1)
BEGIN — login is disabled
SET @tmpstr = @tmpstr + ‘; ALTER LOGIN ‘ + QUOTENAME( @name ) + ‘ DISABLE’
END
PRINT @tmpstr
END

FETCH NEXT FROM login_curs INTO @SID_varbinary, @name, @type, @is_disabled, @defaultdb, @hasaccess, @denylogin
END
CLOSE login_curs
DEALLOCATE login_curs
RETURN 0
GO

Once that is complete then run the following command.

exec sp_help_revlogin ‘username’

This will generate output which you then copy and run on the destination SQL server.

All this can also be done more elegantly with Powershell. Check out this link below:

https://blog.netnerds.net/2016/06/its-2016-why-is-sp_help_revlogin-a-thing/

 

Exchange 2016 -Adjusting Retention for Calendar and Tasks

A client recently asked to have a retention for mail items but to leave calendar and tasks untouched. When in the ECP the option to create a specific retention tag for calendar items or tasks is missing. You must do this through Powershell.

Below is the command I used for both Calendar items and Tasks

New-RetentionPolicyTag “Name of Retention Policy Tag” -Type Calendar -RetentionEnabled $false -RetentionAction DeleteAllowRecovery

Do the same for Tasks replacing Calendar for Tasks in the Type field. Once run you can then add these Retention Policy Tags to your Retention Policy.

vSphere 6.x- Unable to use Customization Template

Today I ran into an issue with an old template which I hadn’t used in quite some time. A vendor requested that we spin up a Windows Server 2012 R2 server for testing purposes.  Upon provisioning the server I came across this error message when the old template was selected.

The public key in the specification does not match the vCenter public key. You have to renter the password in order to proceed.

To resolve this issue open vCenter using the vSphere Web client. Select Policies and Profile find your template and select Edit.

2018-09-20_8-57-29

Select Administrator Password and reenter the password.

2018-09-20_8-59-49

The VMware KB article can be found here:

https://kb.vmware.com/s/article/2111495

Exchange 2016 – ContentIndex State in Suspended state

I have noticed on occasion that after suspending a database copy for a prolonged period of time the ContentIndex State may be stuck in a Suspended state.

You can resolve this situation by reseeding the ContentIndex only from the Active copy.

Update-MailboxDatabaseCopy “DatabaseName\ExchangeServer” -CatalogOnly

 

Exchange 2016 – Unable to move Database due to suppression

The other day while updating Exchange 2016 to the latest CU, I ran across the following error message:

An Active Manager operation failed. Error: The database action failed. Error: Move for database ‘DatabaseName’ was  suppressed because too many moves have happened recently. 3 moves have happened within 01:00:00

Before updating, I had applied the latest security patches plus needed to update .NET Framework so I was moving datastores back and forth.

To get around this error you can use the SkipMoveSuppressionChecks parameter.

Move-ActiveMailboxDatabase -Identity ‘DatabaseName’ -ActivateOnServer ‘ExchangeServer’ -SkipMoveSuppressionChecks

Windows Server 2016 – Changing Windows Update Settings

So apparently Microsoft has removed the settings options from the GUI in Windows Server 2016. You can still change it a number of ways; regedit, sconfig, or GPO.

I found using sconfig the easiest for one of servers but it is best to use a GPO for larger number of servers.

2018-08-17_9-02-22

A better article on this can be found here:

http://www.darrylvanderpeijl.com/windows-server-2016-update-settings/

Musings on Nimble Storage Encryption

I have been working with Nimble Storage SANs for a few years now and I believe their storage solutions are perfect for midsized firms who may or may not have the budget to maintain a full time Storage Engineer.

The user interface is clean and intuitive, upgrades are extremely straight forward, support is great, and I don’t believe any other storage vendor can really compete with Infosight.

The other day at a client site, we came a cross an issue in regards to encryption. Encryption at Rest was enabled for some volumes and the 2018-08-14_10-38-37

This is pretty much a set and forget option, however this does not mean you will never have to enter the encryption passphrase.  If your SAN loses power you will be forced to enter the password. So keep it in a safe place, if you lose it you are pretty much S.O.L. You cannot change the passphrase without knowing the current one. In order to recover the passphrase the SAN would need to be rebuilt or you would need to migrate all data off to unencrypted volumes. So moral of the story never ever ever lose that password! 🙂