Microsoft SQL Server Administration

I. INTRODUCTION TO MICROSOFT SQL SERVER ADMINISTRATION ................ 2

1. WHAT IS MICROSOFT SQL SERVER? ...................................................................... 2
2. MICROSOFT SQL SERVER PROS AND CONS ......................................................... 2
II. MICROSOFT SQL SERVER ADMINISTRATION ...................................................... 3
1. SET UP REMOTE LOGIN FOR MICROSOFT SQL SERVER .................................... 3
2. MANAGING LOGINS, USERS, PERMISSIONS AND ROLES ................................ 20
2.1. ROLES – LEARN ABOUT DATABASE ROLES. ............................................. 20
2.2. CREATE & ASSIGN ROLES TO ACCOUNTS ................................................. 27
2.3. REMOVE & REASSIGN ROLES ....................................................................... 34
3. BACKUP AND RESTORE ........................................................................................... 38
3.1 BACKUP ............................................................................................................... 38
3.2 RESTORE .............................................................................................................. 41
I. INTRODUCTION TO MICROSOFT SQL SERVER
ADMINISTRATION

1. WHAT IS MICROSOFT SQL SERVER?

-Proprietary relational database management system developed by Microsoft
-Written in C / C++
-Available on Windows, Linux and Docker image.

2. MICROSOFT SQL SERVER PROS AND CONS

-Pros::
+Various supported editions
+Online product documentation
+Microsoft Premier support
+On-premises and cloud database support
+Plenty of tools and applications
+Support for use on Linux
+Career opportunities
+Free developer edition (with all enterprise features)
+Thriving online community
+Plenty of online documentation
-Cons:
+Expensive enterprise edition ($14,256 for a per-core license)
+Difficult licensing process that’s always changing
+Complex performance tuning features
+No native support for source control
II. MICROSOFT SQL SERVER ADMINISTRATION

1. SET UP REMOTE LOGIN FOR MICROSOFT SQL SERVER

Start by launching the SQL Server Configuration Manager

Go to tab “SQL Server Network Configuration”, here it will list all available
SQL instance on your system, click on one:

We need to enable TCP/IP so we can remote login with IP address of the

server, click on TCP/IP and enable it:
Switch to “IP Addresses” tab:
Scroll down to the end you can see the entry “IPAll”, enter the TCP port as
1433, why 1433?
Click “Apply” after setting up the port:

As you can see we need to restart the service so the changes will take effect.

Switch to “SQL Server Services”, choose the instance that you want to restart:
Now we need to add a rule to Windows Firewall so we can have connection on
port 1433, let’s open Firewall:
Choose Advanced setting:

Click on Inbound rules:

+Choose “New Rule”:
Name as you like:

Added rule successfully

Let’s get the IP of our server:

By default you login to the server using named instance:

But you can try to enter your server’s IP instead:

We managed to enable remote login for our SQL Server.
 2. MANAGING LOGINS, USERS, PERMISSIONS AND ROLES

2.1. ROLES – LEARN ABOUT DATABASE ROLES.

There are 2 type of roles: Server-level and Database-level roles

a. Server-Level:

Fixed server-level role Description

sysadmin Members of the sysadmin fixed server role

can perform any activity in the server.

serveradmin Members of the serveradmin fixed server

role can change server-wide configuration
options and shut down the server.

securityadmin Members of the securityadmin fixed server

role manage logins and their properties.
They can GRANT, DENY, and REVOKE
server-level permissions. They can also
GRANT, DENY, and REVOKE
database-level permissions if they have
access to a database. Additionally, they can
reset passwords for SQL Server logins.

IMPORTANT: The ability to grant access

to the Database Engine and to configure
user permissions allows the security admin
to assign most server permissions. The
securityadmin role should be treated as
equivalent to the sysadmin role. As an
alternative, starting with SQL Server 2022
(16.x), consider using the new fixed server
role ##MS_LoginManager##.

processadmin Members of the processadmin fixed server

role can end processes that are running in
an instance of SQL Server.
setupadmin Members of the setupadmin fixed server
role can add and remove linked servers by
using Transact-SQL statements. (sysadmin
membership is needed when using
Management Studio.)

bulkadmin Members of the bulkadmin fixed server

role can run the BULK INSERT statement.

The bulkadmin role or ADMINISTER

BULK OPERATIONS permissions isn't
supported for SQL Server on Linux. Only
the sysadmin can perform bulk inserts for
SQL Server on Linux.

diskadmin The diskadmin fixed server role is used for

managing disk files.

dbcreator Members of the dbcreator fixed server role

can create, alter, drop, and restore any
database.

public Every SQL Server login belongs to the

public server role. When a server principal
hasn't been granted or denied specific
permissions on a securable object, the user
inherits the permissions granted to public
on that object. Only assign public
permissions on any object when you want
the object to be available to all users. You
can't change membership in public.

Note: public is implemented differently

than other roles, and permissions can be
granted, denied, or revoked from the public
fixed server roles.

Some special fixed server-level roles introduced in SQL 2022:

Fixed server-level role Description

##MS_DatabaseConnector## Members of
the ##MS_DatabaseConnector## fixed server
 role can connect to any database without
requiring a User-account in the database to
connect to.

To deny the CONNECT permission to a

specific database, users can create a matching
user account for this login in the database and
then DENY the CONNECT permission to the
database-user. This DENY permission will
overrule the GRANT CONNECT permission
coming from this role.

##MS_LoginManager## Members of
the ##MS_LoginManager## fixed server role
can create, delete and modify logins.
Contrary to the old fixed server role
securityadmin, this role doesn't allow
members to GRANT privileges. It is a more
limited role that helps to comply with the
Principle of least Privilege.

##MS_DatabaseManager## Members of
the ##MS_DatabaseManager## fixed server
role can create and delete databases. A
member of the
##MS_DatabaseManager## role that creates a
database, becomes the owner of that database,
which allows that user to connect to that
database as the dbo user. The dbo user has all
database permissions in the database.
Members of the
##MS_DatabaseManager## role don't
necessarily have permission to access
databases that they don't own. This server
role has the same privileges as the dbcreator
role in SQL Server, but we recommend using
this new role over the former, since this role
exists also in Azure SQL Database and thus
helps using the same scripts accross different
environments.

##MS_ServerStateManager## Members of
the ##MS_ServerStateManager## fixed
server role have the same permissions as
the ##MS_ServerStateReader## role. Also, it
 holds the ALTER SERVER
STATE permission, which allows access to
several management operations, such
as: DBCC FREEPROCCACHE, DBCC
FREESYSTEMCACHE ('ALL'), DBCC
SQLPERF()

##MS_ServerStateReader## Members of
the ##MS_ServerStateReader## fixed server
role can read all dynamic management views
(DMVs) and functions that are covered
by VIEW SERVER STATE, and respectively
has VIEW DATABASE STATE
permission on any database on which the
member of this role has a user account.

##MS_ServerPerformanceStateReader## Members of
the ##MS_ServerPerformanceStateReader## f
ixed server role can read all dynamic
management views (DMVs) and functions
that are covered by VIEW SERVER
PERFORMANCE STATE, and
respectively has VIEW DATABASE
PERFORMANCE STATE permission on any
database on which the member of this role
has a user account. This is a subset of what
the ##MS_ServerStateReader## server role
has access to which helps to comply with the
Principle of least Privilege.

##MS_ServerSecurityStateReader## Members of
the ##MS_ServerSecurityStateReader## fixed
server role can read all dynamic management
views (DMVs) and functions that are covered
by VIEW SERVER SECURITY STATE, and
respectively has VIEW DATABASE
SECURITY STATE permission on any
database on which the member of this role
has a user account. This is a small subset of
what the ##MS_ServerStateReader## server
role has access to, which helps to comply
with the Principle of least Privilege.

##MS_DefinitionReader## Members of
the ##MS_DefinitionReader## fixed server
role can read all catalog views that are
 covered by VIEW ANY DEFINITION, and
respectively has VIEW
DEFINITION permission on any database on
which the member of this role has a user
account.

##MS_PerformanceDefinitionReader## Members of
the ##MS_PerformanceDefinitionReader## fi
xed server role can read all catalog views that
are covered by VIEW ANY
PERFORMANCE DEFINITION, and
respectively has VIEW PERFORMANCE
DEFINITION permission on any database on
which the member of this role has a user
account. This is a subset of what the
##MS_DefinitionReader## server role has
access to.

##MS_SecurityDefinitionReader## Members of
the ##MS_SecurityDefinitionReader## fixed
server role can read all catalog views that are
covered by VIEW ANY SECURITY
DEFINITION, and respectively has VIEW
SECURITY DEFINITION permission on any
database on which the member of this role
has a user account. This is a small subset of
what the ##MS_DefinitionReader## server
role has access to which helps to comply with
the Principle of least Privilege.

Permissions of new fixed server roles in SQL Server 2022:

Fixed server-level role Server-level permissions Database-level

permissions

##MS_DatabaseConnector## CONNECT ANY CONNECT

DATABASE

##MS_LoginManager## CREATE LOGIN N/A

ALTER ANY LOGIN

##MS_DatabaseManager## CREATE ANY DATABASE ALTER

ALTER ANY DATABASE
##MS_ServerStateManager## ALTER SERVER STATE VIEW DATABASE
VIEW SERVER STATE STATE
VIEW SERVER VIEW DATABASE
PERFORMANCE STATE PERFORMANCE
VIEW SERVER SECURITY STATE
STATE VIEW DATABASE
SECURITY STATE

##MS_ServerStateReader## VIEW SERVER STATE VIEW DATABASE

VIEW SERVER STATE
PERFORMANCE STATE VIEW DATABASE
VIEW SERVER SECURITY PERFORMANCE
STATE STATE
VIEW DATABASE
SECURITY STATE

##MS_ServerPerformanceState VIEW SERVER VIEW DATABASE

Reader## PERFORMANCE STATE PERFORMANCE
STATE

##MS_ServerSecurityStateRea VIEW SERVER SECURITY VIEW DATABASE

der## STATE SECURITY STATE

##MS_DefinitionReader## VIEW ANY DATABASE VIEW DEFINITION

VIEW ANY DEFINITION VIEW
VIEW ANY PERFORMANCE
PERFORMANCE DEFINITION
DEFINITION VIEW SECURITY
VIEW ANY SECURITY DEFINITION
DEFINITION

##MS_PerformanceDefinitionR VIEW ANY VIEW

eader## PERFORMANCE PERFORMANCE
DEFINITION DEFINITION

##MS_SecurityDefinitionReade VIEW ANY SECURITY VIEW SECURITY

r## DEFINITION DEFINITION

B. Database-Level:
Fixed-Database role name Description

db_owner Members of the db_owner fixed database

role can perform all configuration and
maintenance activities on the database, and
can also drop the database in SQL Server. (In
SQL Database and Azure Synapse, some
maintenance activities require server-level
permissions and cannot be performed by
db_owners.)

db_securityadmin Members of the db_securityadmin fixed

database role can modify role membership
for custom roles only and manage
permissions. Members of this role can
potentially elevate their privileges and their
actions should be monitored.

db_accessadmin Members of the db_accessadmin fixed

database role can add or remove access to the
database for Windows logins, Windows
groups, and SQL Server logins.

db_backupoperator Members of the db_backupoperator fixed

database role can back up the database.

db_ddladmin Members of the db_ddladmin fixed database

role can run any Data Definition Language
(DDL) command in a database. Members of
this role can potentially elevate their
privileges by manipulating code that may get
executed under high privileges and their
actions should be monitored.

db_datawriter Members of the db_datawriter fixed database

role can add, delete, or change data in all
user tables. In most use cases this role will be
combined with db_datareader membership to
allow reading the data that is to be modified.

db_datareader Members of the db_datareader fixed database

role can read all data from all user tables and
views. User objects can exist in any schema
except sys and INFORMATION_SCHEMA.

db_denydatawriter Members of the db_denydatawriter fixed

database role cannot add, modify, or delete
 any data in the user tables within a database.

db_denydatareader Members of the db_denydatareader fixed

database role cannot read any data from the
user tables and views within a database.

The permissions assigned to the fixed-database roles cannot be changed. The

following figure shows the permissions assigned to the fixed-database roles:

2.2. CREATE & ASSIGN ROLES TO ACCOUNTS

Note: You need to login as a system administrator to perform all operations

To create a new login, follow these steps:

Right here you can enter new credentials, choose which authentication mode to
login, enforce password policy or not, can choose which database to work with.

Switch to server roles:

Right here you can assign any role for this user, by default “public” is chosen,
so you can assign “sysadmin” if you want this user to be System Administrator

Switch to “User Mapping”:

You can choose which database to map this user to, and the database role for
that user, in this case I want saul_goodman can access the “master” database
but can only read it (can only use SELECT * FROM)

Let’s test it out:

As we can see this user can read from this database, but if we try to create a
new one:

Using query:
To create a new login with password, no enforce policy & grant a server-level
role for the created user:

To create a new login, assign that login to a database, you can grant a
database-level role:
2.3. REMOVE & REASSIGN ROLES
Note: You need to login as a system administrator to perform all operations
To remove a role or re-assign, you can right click on a user in “Logins”:
Choose Properties, a window will appear:
Switch to Server Roles tab, you can re-assign role for that user:
If you want to change database-level role, switch to User Mapping tab:

Using query:

To drop a server-level role:

To re-assign a server-level role:

To drop a database-level role:

To re-assign a database-level role:

3. BACKUP AND RESTORE

3.1 BACKUP
With SSMS:
Right click on the database you want to backup

Choose Task => Back Up …

Choose which database you want to back up, backup type and destination:

When done, click OK, a backup will be created

3.2 RESTORE
To restore a database, in your instance, right click on “Databases” and choose
restore:
Choose which database you want to restore:

After that click OK

With query: