SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Always On - Endpoint Ownership

By Ginger Keys Daniel,

It is not uncommon for a DBA, or other IT staff, to set up AlwaysOn in a SQL environment and later leave the company. We ran into this recently with a client and were asked to delete the previous employee’s login from everything SQL related. We were able to remove the login from all databases and server roles, however we were not able to delete the login because it was the owner of an endpoint.

When creating an Always On Availability Group, you have the option of using the wizard or you can create it using T-SQL statements. The wizard is very intuitive and easy to use and with the exception of a few settings you can specify, default configurations are deployed using this method. One of the default configurations is the endpoint owner. Whoever creates the Availability Group is, by default, the owner of the endpoint.

This is generally not a problem…unless that person leaves the company and you need to delete the login!  You will get an error message that says:

“The server principal owns one or more endpoint(s) and cannot be dropped (Microsoft SQL Server, Error: 15141)”.

To check and see who the owner of your endpoints are, run this statement:

USE master
GO
SELECT e.name as EndpointName,
sp.name AS EndpointOwner,
et.PayloadType,
e.state_desc
FROM sys.endpoints e
INNER JOIN sys.server_principals sp
ON e.principal_id = sp.principal_id
RIGHT OUTER JOIN ( VALUES ( 2, 'TSQL'),
( 3, 'SERVICE_BROKER'), ( 4, 'DATABASE_MIRRORING') )
AS et ( typeid, PayloadType )
ON et.typeid = e.type

The AlwaysOn endpoint will have the name Hadr_endpoint and will have a DATABASE_MIRRORING payload type as shown below.

If your AlwaysOn AG group has already been created and there is a domain login as the owner, you can change the ownership to sa. Run the following statement to make the change:

USE master
GO
ALTER AUTHORIZATION ON ENDPOINT::Hadr_endpoint TO sa

This will allow you to delete any login who might have owned the endpoint if its ever necessary.

If you are creating an AlwaysOn Availablitiy Group and want to use T-SQL statements instead of the wizard, you have the ability to specify the endpoint owner. For complete instructions on how to set up the AlwaysOn group with TSQL click here:https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/create-an-availability-group-transact-sql

In order to create the endpoint with a specific user, run the following statement:

CREATE ENDPOINT endpoint_mirroring  
AUTHORIZATION <loginname>
STATE = STARTED   
AS TCP (LISTENER_PORT = 5022)  
FOR DATABASE_MIRRORING (  
   AUTHENTICATION = WINDOWS KERBEROS,  
   ENCRYPTION = SUPPORTED,  
   ROLE=ALL);  
GO

In the statement above, if AUTHORIZATION is not specified with a SQL or Windows login, the caller will become the owner of the newly created endpoint. To use AUTHORIZATION and assign ownership to a login, the caller must have IMPERSONATE permission on the specified login.

Endpoints are a fundamental piece of SQL that allows a connection or point of entry into your SQL Server. Knowing who owns these endpoints and how to change the owner will potentially save you some headaches down the road in the event of IT staffing changes in your organization.

 
Total article views: 509 | Views in the last 30 days: 508
 
Related Articles
FORUM

how to create user group logins in SQL server 2005

how to create user group logins in SQL server 2005

FORUM

Creating Logins

Creating Logins with limited permission

FORUM

http endpoint HELLLLP!

help creating a http endpoint with basic authentication

BLOG

Change Availability Group Endpoint IP

I had someone email me and ask how they could change the IP address on their Availability Group Endp...

BLOG

Change Availability Group Endpoint Port

Let’s say you have a port conflict and need to change the port on your Availability Group endpoint. ...

Tags
 
Contribute