Category Archives: Uncategorized

back door entry to sql Server ! is this a loop hole to SQL Server security

One of my friend asked me a question that can we restrict Local Admins to gain Control of SQL Server. His is more concerned about the back door entry to SQL where a member of the local administrators group on the server can gain access to SQL Server by restarting it in single-user mode and then add himself as a login and add the login to the sysadmin group.

Well I doubt this can be restricted and I believe the answer is “NO”.  Admins can do anything within your SQL Server, however if the threat is that the Admin itself can be involved in data theft then there are other ways to restrict like Encryption in SQL Server or Vormetric Data Security. 

We can’t deny the fact that there are several ways by which a local or domain admin can take control of SQL Server. All a local or domain admin has to do is login as the SQL Server service account and they will be able to connect to the instance.  If they don’t know the password to that account, all a domain admin has to do is change the password for the account, launch SQL Server Configuration Manager, change the password there, then login with the service account, and connect to the instance (they don’t even have to shut the instance down following the service account change). 

If the local admin doesn’t have domain admin authority, they can still accomplish the same thing by creating a local account on the machine and going from there.  Or, they can simply change the service account for the SQL Server to be their own Windows account.

The only way you could possibly accomplish this is to create a login trigger that disconnects anyone coming in who is a sysadmin and isn’t in a list that you control within the SQL Server instance.  However this can still be bypassed this by starting the instance in single user mode or by using a trace flag. 

My take is that rather then looking it as a loophole we should consider it as a feature; in case if somebody messes with your SQL Server and delete all logins from inside; the Admins can still logins and fix the issue and take the control back. Coming back to security aspects there are several features available to stop the data theft like encryption features inside SQL Servers and  Vormetric Data Security at file level.

I had been into a situation where database sever was hacked by a hacker well known hacker “Hmei7” and the hacker inserted the java scripts inside the columns of several tables and then disabled the logins, hence you must need a back door entry to gain control of your SQL Server.

It’s the responsibility of the organization to assess their security and restrict the admin access to handful of people who are only authorized, and as a best practice quarterly review the access management policy.


How to add article in Transactional Replication

Let’s consider a scenario we have a database in which we have 3 tables 2 of them are already added in replication and we want to add a third table in publication.

This is more important when we have a larger database and we don’t want to reinitialize the replication.

To avoid complete snapshot of the Publisher database and to avoid re-initialization we need to make some changes in the existing replication. We need to set 2 properties to False as shown below

  1. allow_anonymous
  2. Immediate_sync

Execute below commands

Now add table T3 again from Publisher properties and press ok.

  1. USE
  2. GO
  3. EXEC sp_changepublication @publication = ‘PubDB’,
  4. @property = ‘allow_anonymous’,
  5. @value = ‘false’
  6. GO
  7. USE
  8. GO
  9. EXEC sp_changepublication @publication = ‘PubDB’,
  10. @property = ‘immediate_sync’,
  11. @value = ‘false’
  12. GO


Now add the new articles in existing publication


Now start Snapshot Agent


Now you can notice that it only creates a snapshot of one article instead of all articles, now start log reader agent if it’s in the stopped state.


Now as you can see a snapshot was generated but only for one article, so this article will be replicated to all subscriber without impacting existing replication.

Don’t forgot to execute below command at last to enable the disabled properties.

  1. Use
  2. GO
  3. EXEC sp_changepublication @publication = ‘PubDB’,
  4. @property = ‘allow_anonymous’ ,
  5. @value = ‘True’
  6. GO
  7. Use
  8. GO
  9. EXEC sp_changepublication @publication = ‘PubDB’,
  10. @property = ‘immediate_sync’ ,
  11. @value = ‘True’
  12. GO


Now you can verify the article on all your subscribers

If you want to know more about immediate sync command follow below link

  1. Immediate_sync



One Way Merge Replication

Recently I received a requirement from application team to configure one way replication although it sound weird but yes this is possible and Microsoft provides some parameters to tweak normal behavior of Merge Replication.

Before we proceed further let’s discuss about normal behavior of Merge Replication and when to use Merge Replication.

Merge replication is one of the modes available in the Microsoft SQL Server for distributing data to various servers from a primary server. Merge replication is one of three types of replication, along with snapshot replication and transactional replication. Which type is used depends on the database’s needs, how frequently changes are made to it and the SQL Server version being employed.


Merge replication is the most complex type of replication because it allows both publisher and subscriber to independently make changes to the database. In this scenario, it is debatable whether the publisher is strictly the primary server, because other servers can also make changes to the data. At any rate, the changes are then synchronized by merge agents that sit on both servers, as well as by a predetermined conflict resolution mechanism in case of clashing data changes. Such clashes may arise because merge replication does not require a real-time network connection between the publisher and the subscriber, which raises the very real possibility of one server changing data, and another server later changing the very same data to a different value.
Here is an article which explains about conflict detection and resolution.

Merge replication is commonly used by laptop and other mobile users who cannot be constantly connected to the publisher, but still need to carry around a copy of the database that they can make changes to.

Are there any disadvantages for Merge Replication?

  • It takes lot of time to replicate and synchronize both ends.
  • There is low consistency as lot of parties has to be synchronized.
  • There can be conflicts while merge replication if the same rows are affected in more than once subscriber and publisher. There is conflict resolution in place but that adds complication.

Why there is a need for one way merge are there any advantages?

Consider a scenario where application needs lesser number of jobs less administration of jobs, distribution database and want to get rid of Publisher to Distributor latency and specifically for handheld\mobile devices\Read only data stores who cannot be constantly connected to the publisher, but still need to carry around a copy of the database.

It is also quite possible that you need this kind of setup as there are some constraint adding primary keys in your database\application and still you need some specific set of data proliferation to other sites. But you have t be careful on this as this will add additional RowGuid columns in table, and that you have to take care on front end.

From the advantages point of view I only see that with this One Way Merge you can get rid of Log Reader Agent, you will not see issues like log reader agent is stuck while scanning thousands of VLF (virtual Log files) when log grows too much in certain scenario and you don’t have to bother much about conflict resolution.

How to configure One Way Merge Replication?

There are 2 ways to achieve this kind of setup where we want data to be pushed from Publisher to Subscriber.

Method 1

The First way is at the article level where we can decide that a merge table article is download-only with an option whether you want to make changes at the subscriber but they will not be uploaded to the Publisher and another is changes are not allowed at the subscriber at all. This is achieved by using below property.

When adding an article, there is an option to define the subscriber_upload_options“:

sp_addmergearticle @subscriber_upload_options= subscriber_upload_options

This defines restrictions on updates made at a Subscriber (with a client subscription). The parameter “subscriber_upload_options” is a tinyint, and can have one of the following values.

0 No restrictions. Changes made at the Subscriber are uploaded to the Publisher.
1 Changes are allowed at the Subscriber, but they are not uploaded to the Publisher.
2 Changes are not allowed at the Subscriber.

@subscriber_upload_options =0

@subscriber_upload_options =1 

@subscriber_upload_options =2 



Hence to achieve this functionality we have an option to choose 1 (Changes are allowed at the Subscriber, but they are not uploaded to the Publisher) or  2 (Changes are not allowed at the Subscriber).




@subscriber_upload_options =1  is defined as “download only, but allow subscriber changes”. In this option there will be no triggers at the subscriber so there will be no firing of triggers to unnecessarily log metadata at the subscriber, which makes both subscriber data changes and the subsequent synchronization significantly faster.

@subscriber_upload_options =2 disallows all subscriber changes. In this case there is a special trigger – MSmerge_downloadonly*  which will rollback any attempt to change subscriber data.

Msg 20063, Level 16, State 1, Line 1
Table into which you are trying to insert, update, or delete data has been marked as read-only. Only the merge process can perform these operations.


Once you are done with the configuration of Publication add subscriber where you want to download these articles and subsequent transactions with subscription type property as “Client”.


This is how you can achieve one way merge replication by changing the property of published articles sp_addmergearticle @subscriber_upload_options= subscriber_upload_options

Method 2

There is another way by which you change the normal behavior of merge replication and force the merge replication into Unidirectional Merge. This can be achieved by changing normal behaviour of Merge Agent using property “EXCHANGETYPE” 

The value of -EXCHANGETYPE determines the direction of merge replication changes. This can be done by manually editing the Merge agent job step by adding -EXCHANGETYPE parameter with value 2

  • UploadOnly (1): Only changes originating at the Subscriber are merged with the Publisher. The Publisher’s changes stay in the Publisher. Use a value of 1 in your agent properties.
  • DownloadOnly (2): Only changes originating at the Publisher are merged with the Subscriber. Use a value of 2 in your agent properties.
  • Bi-Directional (3 – Default): Changes originating at the Publisher and Subscriber are merged. Use a value of 3 in your agent properties.
UPLOAD 1 Only merge Subscriber changes with the Publisher.
DOWNLOAD 2 Only merge Publisher changes with the Subscriber.
BIDIRECTIONAL 3 Merge all changes between the Publisher and Subscriber (default).

As soon as we configure with parameter with value of 2 it means that changes to a replicated article at the subscriber are not prohibited, are recorded in the merge metadata tables via merge triggers, and are subsequently filtered out when the merge agent synchronizes. This means there may be a huge amount of metadata unnecessarily recorded, slowing down data changes and synchronization.



Conclusion: One Way or Unidirectional replication can be achieved easily in Merge Replication with minor tweaking in SQL 2005 and later version even at very granular level.

sp_addmergearticle @subscriber_upload_options =1 parameter defines restrictions on updates made at a subscriber. The parameter value of 1 is described as download only, but allow subscriber changes and seems equivalent to the -EXCHANGETYPE = 2 setting mentioned previously, but in the SQL Server 2005 case there are no triggers at all on the subscriber table. Another distinction is that this setting is made at the more granular article level rather than set for the entire publication. This means that although the -EXCHANGETYPE and sp_addmergearticle methods are logically equivalent, the implementation has become much more sophisticated in SQL Server 2005 and later versions. Triggers that unnecessarily log metadata at the subscriber are no longer fired; therefore both subscriber data changes and the subsequent synchronization are significantly faster.

@subscriber_upload_options =2 disallows all subscriber changes. In this case there is a special trigger MSmerge_downloadonly* which will rollback any attempt to change subscriber data. 

However you have to be very sure while using this option as this option is depreciated feature list and about Re-initialization of subscription with this kind of setup.

Deprecated Features in SQL Server Replication

I would highly appreciate feedback and comments on this article and would love to know more about any advantages you are getting from this kind of setup if you are already using this Unidirectional Merge.




SQL Performance Analyzer and Health Check

Sara Performance Analyzer

Sara Performance Analyzer (SQL Administration and Reporting Analysis) is a windows based application which helps you in troubleshooting SQL Server issues. The application perform health check on various parameters and provide a full report for your SQL Server. The tool provide detailed information on below parameters

  • Hardware
  • Disk Status
  • Services
  • Instance
  • DB Configuration
  • Backup Status
  • Temp DB Status
  • Performance
  • Job related information


Download the zip file and extract all the file in folder and run setup.exe. This will install application with name SARA your machine.

>>Download Sara Performance Analyzer<<

How to run this tool and pre-requisites for this application

  • You must be SYSADMIN on SQL Server and Server Admin on Machine to run this application
  • Application enables XP_Cmdshell to execute some command and then disable it accordingly so test this in your DEV and Test environment before executing it on production
  • Use SQL Authentication OR Integrated option
  • Enter Server Name
  • Select Authentication
  • Click Process

This application will take around 1-3 minutes to finish all test and then displays result in Data Grid.


SQLCodeBlock is a small tool that contains all day today scripts that database administrators uses for troubleshooting and normal SQL Server health checks. Its a small initiative to collaborate all scripts and assembled them into a windows based application.

You can download and install this tool on you local machine and run it any time, its very easy to use, just open this tool select category,select sub-category and then click fetch script and then click copy to clipboard. CodeBlock2CodeBlock3CodeBlock4

>>SQLCodeBlack Download<< One Drive

>>SQLCodeBlack Download<< Google Drive

Download the zip file and extract the files and click setup.exe to install it on your machine

How many SQL Instance can I host efficiently on existing server?

It’s a very open ended questions and before answering this question you need to understand what kind of application you are using and how much transaction they makes on database. You need to understand size of databases and how much CPU\MEM is required to run those databases on SQL server also it more depends on your performance capacity of Physical Server\VM, I mean if you are having a server with multiple cores 100 Gigs of mem and super-fast SAN you can host multiple instances.

This kind of consolidation of instance has its own Pros and Cons as this could be a beneficial but it can also be a headache for a DBA or Architecture team.

Why Would You Use Multiple SQL Server Instances?

  • You can save lot of cost for hardware
  • License costs for SQL Server currently are by CPU socket by machine, not by instance on a machine. Doubling up the instances on a machine can save lot of cost
  • Fully utilize the hardware performance to its limit

Performance Bench-marking is very important for consolidation (running multiple instances on server), this bench-marking will provide you information like how much MIN\MAX CPU and how much MIN\MAX memory is required to run this SQL Instance, also how much storage capacity is required. Apart from these things network bandwidth and I/O plays an important role here before making decision to host multiple instances on one Server.

What Important counters I must collect for defining my benchmark of SQL Instance?

Identify the Physical configuration of your server on which you are hosting this SQL Instance


You need to focus on various trends for below performance counters to define minimum, average and maximum value required for your SQL Instance to run.

  1. Identify CPU utilization trend over a period of time to identify CPU required to run SQL Instance: This will let you decide how much computing power\processors are required to host this SQL instance.


2. Identify CPU utilization of database: You can easily get this information from T-SQL what is the average utilization of CPU for your database, a job can be configured on a server and you can draw a trend and actually see which database is consuming most CPU

 WITH db_cpu_stats 
 AS (SELECT databaseid, 
 db_name(databaseid) AS [database name], 
 sum(total_worker_time) AS [cpu_time_ms] 
 FROM sys.dm_exec_query_stats AS qs 
 CROSS apply (SELECT CONVERT(int, value) AS [databaseid] 
 FROM sys.dm_exec_plan_attributes(qs.plan_handle) 
 WHERE attribute = N'dbid') AS f_db 
 GROUP BY databaseid) 
 [database name] AS 'Name', 
 [cpu_time_ms] AS 'CPU Time [MS]', 
 cast([cpu_time_ms] * 1.0 / sum([cpu_time_ms]) 
 OVER() * 100.0 AS decimal(5, 2)) AS 'CPU [%]' 
 FROM db_cpu_stats 
 WHERE databaseid <> 32767 -- ResourceDB 
 ORDER BY cast([cpu_time_ms] * 1.0 / sum([cpu_time_ms]) 
 OVER() * 100.0 AS decimal(5, 2)) desc 
 OPTION (recompile)



3. Identify Memory utilization of database

DECLARE @total_buffer INT;
SELECT @total_buffer = cntr_value
FROM sys.dm_os_performance_counters 
WHERE RTRIM([object_name]) LIKE '%Buffer Manager'
AND counter_name = 'Database Pages';
;WITH src AS
database_id, db_buffer_pages = COUNT_BIG(*)
FROM sys.dm_os_buffer_descriptors
--WHERE database_id BETWEEN 5 AND 32766
GROUP BY database_id
[db_name] = CASE [database_id] WHEN 32767 
THEN 'Resource DB' 
ELSE DB_NAME([database_id]) END,
db_buffer_MB = db_buffer_pages / 128,
db_buffer_percent = CONVERT(DECIMAL(6,3), 
db_buffer_pages * 100.0 / @total_buffer)
FROM src
ORDER BY db_buffer_MB DESC;

DBmem4. Identify below counters usage to define MIN\MAX memory and other memory configurations.

These counters will help to understand about the load on the SQL Server. Monitor these counters over a period of time and analyze the trend that will actually give you min max and average utilization of these parameters




5. Identify the database usage trends to define capacity management


Apart from all this you need to focus on the of I/O sub system, Your I/O subsystem must be fast and further separation your Logs, Data and TEMPDB data files, will give you an additional advantage

Once you define you bench-marking on the basis of above counters which will help you in defining cpu, memory, storage and bandwidth requirement for a SQL Instance.

Reporting Services not starting, the service failed or the service did not start in a timely fashion.

This was a newly installed SQL Server and after the restart of the server the reporting services failed to start every time when we try to start it. We checked all the areas and found everything fine.

Then we came to know that this is a kind of generic error; the Microsoft Windows Service Control Manager controls the state (i.e., started, stopped, paused, etc.) of all installed Windows services and  by default, the Service Control Manager will wait 30,000 milliseconds (30 seconds) for a service to respond but certain configurations, technical restrictions, or performance issues may result in the service taking longer than 30 seconds to start.


Resolution: By editing or creating the ServicesPipeTimeout DWORD value, the Service Control Manager Timeout period can be overridden, thereby giving the service more time to start up and report ready to the Service.

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:


  1. In the right pane, locate the ServicesPipeTimeout entry.
    Note If the ServicesPipeTimeout entry does not exist, you must create it.

To do this, follow these steps:

On the Edit menu, point to New, and then click DWORD Value.

4. Type ServicesPipeTimeout, and then press ENTER.

5. Right-click ServicesPipeTimeout, and then click Modify.

6. Click Decimal, type 60000\120000, and then click OK.


This value represents the time in milliseconds before a service times out.

SSRS 2008 Problem : Message: Invalid URI: The Authority/Host could not be parsed

You could face this issue while connecting to Reporting Services from configuration manager.

The below error mainly appears while accessing Web Service URL property in Reporting Services configuration manager and the main reason behind is a broken\invalid <UrlString> tag.



To confirm this go to location mentioned below and open rsreportserver.XML file in notepad. \Program Files\Microsoft SQL Server\MSRS10.SQL2008_PROD\Reporting Services\ReportServer

Resolution: Correct the <UrlString> </URLString> accordingly and save the file, and it should work now.

Report server has detected a possible denial of service attack

We encountered a strange issue where the reporting services stops responding for some user. When we investigate the issue and check event viewer we found below mentioned warning

Warning: The report server has detected a possible denial of service attack. The report server is dropping requests for service from the

Warning 2: Exception information:
      Exception type: HttpException      
                  Exception message: Server Too Busy



The reason could be here that the number of connections from the same user exceeds the maximum allowed number of concurrent connections from one user, the reporting services will not handle new requests and it will wait until existing requests have terminated.

By default Reporting Services can only allow 20 max connections from one user as shown below hence to resolve this issue you need to increase this value as per your requirement.

Resolution: To resolve this issue go below mentioned location or the location where reportserver config file is available as per your installation.

\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer

  • Open the file in notepad and find “MaxActiveReqForOneUser” and change its valle as per your need like from 20 to 50.

<Add Key=”MaxActiveReqForOneUser” Value=”20″/>

Hope this will resolve your issue.