![CH6-ADS.png](.\Media\CH6-ADS.png)

# <span style="color:#cc5500;">Database Mainenance Tips and Tricks</span>

This notebook is designed to help customer’s operations and support teams understand common operational requirements and needs of the SQL Server environment.  The topic of operational guidance is very broad, and this notebook introduces concepts and providing references to more comprehensive materials, including extensive detail on custom support needs found in US Public Sector, and DoD environments responsible for DISA compliance with respect to the STIG’s.  Running SQL Server in US PubSec has a unique set of Operational Support requirements compared to commercial environments.  SQL Server will perform best and provide the highest level of confidentiality, integrity, and availability (CIA) for organizations when regular maintenance is engineered, orchestrated, and performed on a regular and consistent basis.

SQL Server enables customers to build mission-critical applications and big data solutions using high-performance, in-memory technology across Online Transactional Processing (OLTP), Data Warehousing (DW), Business Intelligence and analytics workloads (BI), without having to buy expensive add-ons or high-end appliances.  SQL Server uses a common set of tools to deploy and manage databases both on-premises and in the cloud, which makes it easier for customers to take advantage of the cloud with existing skills. 

Operations is a broad, high-level topic that can be divided into seven main sections in this notebook:

1. Administration
2. High Availability
3. Patching and Updating
4. Monitoring
5. Performance
6. Security
7. Ports and Protocols
8. Additional Resources

Each area has unique concerns and a standard approach or method of handling operations and support throughout the DoD and US PubSec.  This guide is a combination of Microsoft recommended best practices for operations and support of SQL Server as well as US Public Sector Services recommendations for operations and support of SQL Server in the US Public Sector.  It is important to note, improper management of the unique operating environment and operational concerns in the US PubSec industry vertical can cause as many system outages (reduce Confidentiality, Integrity, and Availability \[CIA\]) as much as it could prevent outages and increase CIA.  This guide is a hybrid set of recommendations and references designed to increase CIA and help US PubSec SQL Server database administrators.

## <span style="color:#cc5500;">Administration</span>

The high-performance database engine in SQL Server has many self-tuning configuration options.  However, database administrators still must configure aspects, such as links to other servers in their organizations, and develop an effective database backup strategy.  Additionally, an example of common daily database administration task are:

- Verify all SQL Server instances are up
- Verify that all scheduled jobs have run successfully
- Verify success of database backups
- Monitor disk space
- Review database sizes and growth settings

These tasks could be a set of manual checks or automated checks reviewed daily.  Use the links and resources below to learn and understand how the above can be accomplished.  The following Microsoft SQL Server Books Online materials provide information that can help improve database system performance and protect organization data against hardware failure or natural disaster.

### <span style="color:rgb(0, 204, 153);">Configure Database Engine Instances (SQL Server)</span>

- This page: [Configure Database Engine Instances (SQL Server) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-database-engine-instances-sql-server?view=sql-server-2017) describes how to configure the properties of an instance.  One can learn how to configure defaults, such as file locations and date formats.  As well, one can also learn how the instance uses operating system resources, such as memory or threads.
- Configuring the default file location for your databases will help ensure that database log and data files are created on the correct drive\\folder that supports your security posture via access control lists (ACLs).  Configuring the default file location also allows you to specify high-performance drives and enforce log and data file separation when database create statements are used without qualifying the data and log file locations.

### <span style="color:rgb(0, 204, 153);">The SQL Server Agent and Automating Administration Tasks</span>

- This Page: [Automated Administration Tasks (SQL Server Agent) - SQL Server Agent | Microsoft Docs](https://docs.microsoft.com/en-us/sql/ssms/agent/automated-administration-tasks-sql-server-agent?view=sql-server-2017) describes how Microsoft SQL Server allows you to automate administrative tasks using the SQL Server Agent.  To automate administration, you define predictable administrative tasks and then specify the conditions under which each task occurs.  Using automated administration to handle routine tasks and events frees your time to perform other administrative functions.

### <span style="color:rgb(0, 204, 153);">Managing Data Files, Size, and Growth Settings</span>

- This page: [Database Files and Filegroups - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/databases/database-files-and-filegroups?view=sql-server-2017) describes SQL Server data files and file group properties and behaviors.  Use this information and guidance to configure setting and database properties so as to limit risk to availability.

### <span style="color:rgb(0, 204, 153);">Collation and Unicode Support</span>

- This page: [Collation and Unicode support - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/collations/collation-and-unicode-support?view=sql-server-2017) describes how to manage database engine collation.  Collations define the bit patterns used to represent characters and associated behaviors such as sorting, and case or accent sensitivity in comparison operations of CHAR and VARCHAR data types.

### <span style="color:rgb(0, 204, 153);">Linked Servers (Database Engine)</span>

- This page: [Linked Servers (Database Engine) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/linked-servers/linked-servers-database-engine?view=sql-server-2017) describes how to configure linked server definitions.  These allow Transact-SQL statements to work with data that is stored in separate Object Linking and Embedding Database (OLE–DB) sources.

### <span style="color:rgb(0, 204, 153);">Logon Triggers</span>

- This page: [Logon Triggers - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/triggers/logon-triggers?view=sql-server-2017) describes how to create a logon trigger that specifies actions that are to be taken after a logon attempt has been validated but before it starts working with resources in the instance.  Logon triggers support actions such as logging connection activity or restricting logons based on logic that complements credential authentication that is performed by Windows and SQL Server.

The SQL Server STIGs recommend limiting connections and concurrent users to support availability requirements and limit risk to availability by denial-of-service like attacks. Logon triggers can be used to limit access and concurrent connections to the system.

### <span style="color:rgb(0, 204, 153);">Manage the Database Engine Services</span>

- This page: [Manage the Database Engine Services - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/manage-the-database-engine-services?view=sql-server-2017) describes how to manage the services associated with an instance of the database engine.  This includes managing actions, such as starting and stopping the service or configuring startup options.
- Some best practices for configuring the database engine services include
    - Use a domain Service Account or a Group Managed Service Account (gMSA) for each service.
    - Set SQL Server Agent to auto-start.
    - Disable any unused service.
    - Set recovery and retry setting for the service.
    - Set alerts and notifications in the even the service has stopped or cannot start.

### <span style="color:rgb(0, 204, 153);">Server Network Configuration</span>

- This page: [Server Network Configuration - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/server-network-configuration?view=sql-server-2017) describes how to perform server network configuration tasks such as enabling protocols, modifying the port or pipe that is used by a protocol, configuring encryption, configuring the SQL Server Browser service, exposing or hiding the SQL Server Database Engine on the network, or registering the server principal name. 

### <span style="color:rgb(0, 204, 153);">Client Network Configuration</span>

- This page: [Client Network Configuration - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/client-network-configuration?view=sql-server-2017) describes how to perform client network tasks such as configuring client protocols or creating or deleting a server alias.  Please see the US PubSec Installation and Hardening Guides for recommendations for configuring the network library properties and settings.

### <span style="color:rgb(0, 204, 153);">Database Engine Scripting</span>

- This page: [Database Engine Scripting - SQL Server Management Studio (SSMS) | Microsoft Docs](https://docs.microsoft.com/en-us/sql/ssms/scripting/database-engine-scripting?view=sql-server-2017) describes the SQL Server Management Studio (SSMS) editors that can be used to design, debug, and run Transact-SQL and other scripts.  It also describes how to code Windows PowerShell scripts to work with SQL Server components.  
- Below are some useful SSMS settings worth noting.
    - Show line numbers: Tools \> Options \> Text Editor \> Transact-SQL \> General \> Line Numbers
    - Ctrl+Shift+R: refreshes SSMS IntelliSense cache after creating new objects

### <span style="color:rgb(0, 204, 153);">Maintenance Plans</span>

This page: [Maintenance Plans - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/maintenance-plans/maintenance-plans?view=sql-server-2017) describes how to use maintenance plans to specify a workflow of common administration tasks for an instance.  These workflows include tasks such as backing up databases and updating statistics to improve performance. Below is an example of a common maintenance routine.

Database Backups

- Full
    - Perform weekly
- Differential
    - Perform daily
- Transaction Log
    - Perform hourly
- Index Tuning
    - Rebuild or Reorganize as needed
- Update Statistics
    - Perform Daily
- Miscellaneous
    - Database Ownership
    - Detect and change databases not owned by the renamed ‘sa’ account.
    - Cycle the Error Log
        - Perform Daily
    - TDE
        - Detect and configure TDE for databases where required

### <span style="color:rgb(0, 204, 153);">Database Mail</span>

- This page: [Database Mail - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/database-mail/database-mail?view=sql-server-2017) describes how database applications can use database mail to send email messages from the database engine.  It’s recommended to provide alerting and notification for certain critical system event, alarms, and failures.  Database Mail can be used for alerting and job success/failure notification.

### <span style="color:rgb(0, 204, 153);">Extended Events</span>

- This page: [XEvents overview - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/extended-events/extended-events?view=sql-server-2017) describes how to use SQL Server Extended Events—a lightweight, highly scalable system, to capture performance data that can be used to build performance baselines or diagnose performance problems.

### <span style="color:rgb(0, 204, 153);">SQL Trace</span>

- This page: [SQL Trace - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/sql-trace/sql-trace?view=sql-server-2017) describes how to use SQL Trace to build a customized system for capturing and recording events in the database engine.  Please note, SQL Trace is depreciated in favor of SQL Server Extended Events and SQL Server Auditing.

### <span style="color:rgb(0, 204, 153);">SQL Server Profiler</span>

- This page: [SQL Server Profiler - SQL Server Profiler | Microsoft Docs](https://docs.microsoft.com/en-us/sql/tools/sql-server-profiler/sql-server-profiler?view=sql-server-2017) describes how to use the SQL Server Profiler to capture traces of application requests coming in to an instance of the database engine.  These traces can later be replayed to help with activities such as performance testing or problem diagnosis.

### <span style="color:rgb(0, 204, 153);">Track Data Changes (SQL Server)</span>

- This page: [Track Data Changes - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/track-changes/track-data-changes-sql-server?view=sql-server-2017) describes how change data capture (CDC) and change tracking features enable applications to determine the DML changes (insert, update, and delete operations) that were made to user tables in a database. 

### <span style="color:rgb(0, 204, 153);">Database Engine Tuning Advisor</span>

- This page: [Database Engine Tuning Advisor - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/performance/database-engine-tuning-advisor?view=sql-server-2017) describes how to use the Database Engine Tuning Advisor to analyze databases and make recommendations for addressing potential performance problems.

### <span style="color:rgb(0, 204, 153);">Remote Servers</span>

- This page: [Remote Servers - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/remote-servers?view=sql-server-2017) describes how to use the deprecated remote servers feature to enable access from one instance of the database engine to another.  The preferred mechanism for this functionality is a linked server.

### <span style="color:rgb(0, 204, 153);">Service Broker</span>

- This page: [SQL Server Service Broker - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/sql-server-service-broker?view=sql-server-2017) describes how Service Broker sends messages, queues applications, and provides pointers to its documentation.

### <span style="color:rgb(0, 204, 153);">Buffer Pool Extension File</span>

- This page: [Buffer pool extension - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/buffer-pool-extension?view=sql-server-2017) describes how the buffer pool extension can be used to provide seamless integration of nonvolatile, random-access storage on solid-state drives to the database engine buffer pool to improve input/output (I/O) throughput.

### <span style="color:rgb(0, 204, 153);">Live Query Statistics</span>

- This page: [Live Query Statistics - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/performance/live-query-statistics?view=sql-server-2017) describes how Live Query Statistics can be used to view the live execution plan of an active query.  The live query plan provides real-time insights into the query execution process as the controls flow from one query plan operator to another. Because this data is available in real time without needing to wait for the query to complete, these execution statistics are extremely useful for debugging query performance issues.

### <span style="color:rgb(0, 204, 153);">Query Store</span>

- This Page: [Monitoring Performance By Using the Query Store - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store?view=sql-server-2017) describes how Query Store can be used to get insights on query plan choice and performance.  It simplifies performance troubleshooting by enabling you to quickly find performance differences caused by changes in query plans.  The feature automatically captures a history of queries, plans, and runtime statistics, and retains these for your review.  It separates data by time windows, allowing you to see database usage patterns and understand when query plan changes happened on the server.

### <span style="color:rgb(0, 204, 153);">Temporal Tables</span>

- This Page: [Temporal Tables - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/tables/temporal-tables?view=sql-server-2017) describes how to use Temporal Tables to keep a full history of data changes and allow easy point in time analysis. Temporal Tables can be used for Auditing data changes, reconstructing state of data, calculating trends over time, maintaining a slowly changing dimension and recovering data from accidental changes.

### <span style="color:rgb(0, 204, 153);">Automate Administration across the Enterprise</span>

- This Page: [Automated Administration Across an Enterprise - SQL Server Agent | Microsoft Docs](https://docs.microsoft.com/en-us/sql/ssms/agent/automated-administration-across-an-enterprise?view=sql-server-2017) outlines some tools, features, and techniques to automate administration across an enterprise.

### <span style="color:rgb(0, 204, 153);">Monitor and Respond to Events with the SQL Server Agent</span>

- This Page: [Monitor and Respond to Events - SQL Server Agent | Microsoft Docs](https://docs.microsoft.com/en-us/sql/ssms/agent/monitor-and-respond-to-events?view=sql-server-2017) provide information on how SQL Server Agent can monitor and automatically respond to events, such as messages from SQL Server, specific performance conditions, and Windows Management Instrumentation (WMI) events.

## <span style="color:#cc5500;">High Availability</span>

This section contains information about administrating several SQL Server high-availability (HA) solutions to improve server or database availability.  An HA solution masks the effects of a hardware or software failure and maintains availability of applications, minimizing perceived downtime for users.

### <span style="color:rgb(0, 204, 153);">Windows Server Failover Clustering (WSFC) with SQL Server</span>

A WSFC cluster is a group of independent servers that works together to increase application and service availability.  SQL Server takes advantage of WSFC services and capabilities to support Always On Availability Groups and SQL Server Failover Cluster Instances (FCI).  This link here: [Windows Server Failover Cluster with SQL Server - SQL Server Always On | Microsoft Docs](https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/windows/windows-server-failover-clustering-wsfc-with-sql-server?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">AlwaysOn Failover Cluster Instance (FCI)</span>

As part of the SQL Server Always On offering, AlwaysOn FCI leverages WSFC functionality to provide local high availability through redundancy at the server-instance level—an FCI.  An FCI is a single instance of SQL Server that is installed across WSFC nodes and, possibly, across multiple subnets.  On the network, an FCI appears to be an instance of SQL Server running on a single computer, but the FCI provides failover from one WSFC node to another if the current node becomes unavailable.  This link here: [Always On failover cluster instances - SQL Server Always On | Microsoft Docs](https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/windows/always-on-failover-cluster-instances-sql-server?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">AlwaysOn Availability Groups</span>

The AlwaysOn Availability Groups feature is a HA and disaster-recovery (DR) solution that provides an enterprise-level improvement from database mirroring.  First introduced in SQL Server 2012, AlwaysOn Availability Groups maximizes the availability of a set of user databases for an enterprise.  An availability group supports a failover environment for a discrete set of user databases—known as availability databases—that fail over together. 

SQL Server introduces new features like round-robin load balancing in readable secondaries, enhanced log replication throughput and redo speed, direct seeding of new database replicas, support for Distributed Transactions (DTC).  For more information on AlwaysOn Availability Groups, This link here: [Availability groups: a high-availability and disaster-recovery solution - SQL Server Always On | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server?view=sql-server-2017)

An availability group supports a set of read-write primary databases and up to eight sets of corresponding secondary databases.  Optionally, secondary databases can be made available for read-only access or some backup operations.  For more information on configuring read-only access on an availability replica,  This link here: [Configure read-only access to secondary availability group replica - SQL Server Always On | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/configure-read-only-access-on-an-availability-replica-sql-server?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">The Database Mirroring Endpoint</span>

To participate in Always On Availability Groups or database mirroring, a server instance requires its own dedicated database mirroring endpoint.  This is a special-purpose endpoint that is used exclusively to receive connections from other server instances.  On a given server instance, every Always On Availability Groups or database mirroring connection to other server instances uses a single database mirroring endpoint.  For more information, click here: [The Database Mirroring Endpoint (SQL Server) - SQL Server Database Mirroring | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/the-database-mirroring-endpoint-sql-server?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Automatic Page Repair (Availability Groups/Database Mirroring)</span>

Automatic page repair is supported by database mirroring and Always On Availability Groups.  After certain types of errors corrupt a page, making it unreadable, a database mirroring partner (principal or mirror) or an availability replica (primary or secondary) attempts to recover the page automatically.  The partner or replica that cannot read the page requests a fresh copy of the page from its partner or from another replica.  If this request succeeds, the unreadable page is replaced by the readable copy, and that usually resolves the error. For more information, click here: [Automatic page repair for availability groups & database mirroring - SQL Server Always On | Microsoft Docs](https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/automatic-page-repair-availability-groups-database-mirroring?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">About Log Shipping</span>

SQL Server log shipping allows you to send transaction log backups automatically from a primary database on a primary server instance to one or more secondary databases on separate secondary server instances.  The transaction log backups are applied to each of the secondary databases individually.  An optional third server instance, known as a monitor server, records the history and status of backup and restore operations and, optionally, sounds alerts if these operations fail to occur as scheduled.  For more information, click here: [About Log Shipping (SQL Server) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/log-shipping/about-log-shipping-sql-server?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Management of Logons and Jobs After Role Switching</span>

When you are deploying a high-availability or disaster-recovery solution for a SQL Server database, it is important to reproduce relevant information that is stored in the Master or MSDB databases.  The relevant information typically includes the primary jobs database, user logons, or processes that need to connect to the database.  You should duplicate this information on an instance of SQL Server that hosts a secondary database.  If possible, it is best to reproduce the information programmatically on the new primary database after the roles are switched. For more information, click here: [Manage logins & jobs after mirror failover - SQL Server Always On | Microsoft Docs](https://docs.microsoft.com/en-us/sql/sql-server/failover-clusters/management-of-logins-and-jobs-after-role-switching-sql-server?view=sql-server-2017)

## <span style="color:#cc5500;">Patching and Updating</span>

When upgrading a SQL Server instance that hosts an Always On Availability Group (AG) to a new SQL Server version, to a new SQL Server service pack or cumulative update, or when installing to a new Windows service pack or cumulative update, you can reduce downtime for the primary replica to only a single manual failover by performing a rolling upgrade (or two manual failovers if failing back to the original primary).  During the upgrade process, a secondary replica will not be available for failover or for read-only operations, and after the upgrade, it may take some time for the secondary replica to catch up with the primary replica node depending upon the volume of activity on the primary replica node (so expect high network traffic).  Also be aware that after the initial failover to a secondary replica running a newer version of SQL Server, the databases in that Availability Group will run through an upgrade process to bring them to the latest version. During this time, there will be no readable replicas for any of these databases. Downtime after the initial failover will depend on the number of databases in the Availability Group.  If you plan on failing back to the original primary, this step will not be repeated when you fail back.

### <span style="color:rgb(0, 204, 153);">Rolling Upgrade Basics for Always On AGs</span>

Observe the following guidelines when performing server upgrades or updates in order to minimize downtime and data loss for your AGs:

- Before starting the rolling upgrade,
    - Perform a practice manual failover on at least one of your synchronous-commit replica instances
    - Protect your data by performing a full database backup on every availability database
    - Run DBCC CHECKDB on every availability database
- Always upgrade the remote secondary replica instances first, then local secondary replica instances next, and the primary replica instance last.
- Backups cannot occur on a database that is in the process of being upgraded. Prior to upgrading the secondary replicas, configure the automated backup preference to run backups only on the primary replica. During a version upgrade, no replicas are readable or available for backups. During a non-version upgrade, you can configure automated backups to run on secondary replicas prior to upgrading the primary replica.
- During a version upgrade, readable secondaries cannot be read after an upgrade of the readable secondary and before either the primary replica is failed over to an upgraded secondary or the primary replica is upgraded.
- To prevent the AG from unintended failovers during the upgrade process, remove availability failover from all synchronous-commit replicas before you begin.
- Do not upgrade the primary replica instance before failing over the AG to an upgraded instance with a secondary replica first. Otherwise, client applications may suffer extended downtime during the upgrade on the primary replica instance.
- Always fail over the AG to a synchronous-commit secondary replica instance. If you fail over to an asynchronous-commit secondary replica instance, the databases are vulnerable to data loss, and data movement is automatically suspended until you manually resume data movement.
- Do not upgrade the primary replica instance before upgrading or updating any other secondary replica instance. An upgraded primary replica can no longer ship logs to any secondary replica whose SQL Server instance that has not yet been upgraded to the same version. When data movement to a secondary replica is suspended, no automatic failover can occur for that replica, and your availability databases are vulnerable to data loss. This also applies during a rolling upgrade where you manually failover from an old primary to a new primary. As such, after you upgrade the old primary, you may need to resume synchronization.
- Before failing over an AG, verify that the synchronization state of the failover target is SYNCHRONIZED.

To learn more about how to perform the correct steps in sequential order, review this link: [Upgrade availability group replicas - SQL Server Always On | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/upgrading-always-on-availability-group-replica-instances?view=sql-server-ver15#:~:text=Therefore%2C%20the%20rolling%20upgrade%20process%20may%20look%20as,the%20commit%20mode%20to%20asynchronous%20commit%20See%20More.)

## <span style="color:#cc5500;">Monitoring</span>

This section contains information about monitoring the database engine.

### <span style="color:rgb(0, 204, 153);">Resource Governor</span>

This page describes how to use the resource governor to manage resource consumption and workloads by specifying limits on the amount of CPU and memory that application requests can use.  This link here: [Resource Governor - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/resource-governor/resource-governor?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Log File Viewer (Object Explorer)</span>

This page describes the ways to display logged information about SQL Server components.  This link here: [Log File Viewer F1 Help - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/logs/log-file-viewer-f1-help?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Monitoring Resource Usage (System Monitor)</span>

This page contains information about using the Windows operating system monitor to track resource usage in SQL Server.  This link here: [Monitor Resource Usage (Performance Monitor) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/performance-monitor/monitor-resource-usage-system-monitor?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Diagnostic Connection for Database Administrators (DAC)</span>

This page describes how production database administrators can make a diagnostic connection to instances when standard connections are not being accepted.  This link here: [Diagnostic Connection for Database Administrators - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/diagnostic-connection-for-database-administrators?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Use of Central Management Server</span>

You can administer multiple servers by designating Central Management Servers and creating server groups.

Central management servers store a list of instances of SQL Server that is organized into one or more central management server groups.  Actions that are taken by using a central management server group act on all servers in the server group.  This includes connecting to servers by using Object Explorer and executing Transact-SQL statements and Policy-Based Management policies on multiple servers at the same time.  This link here: [Create a Central Management Server - SQL Server Management Studio (SSMS) | Microsoft Docs](https://docs.microsoft.com/en-us/sql/ssms/register-servers/create-a-central-management-server-and-server-group?view=sql-server-2017)

<span style="color: rgb(0, 204, 153);">Dynamic Management Views</span>

Dynamic management views and functions return server state information that can be used to monitor the health of a server instance, diagnose problems, and tune performance.  DMVs are an affective tool for managing operations and alerting as well as checking the status of activities and events in the SQL instance.  This link here: [Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/system-dynamic-management-views?view=sql-server-2017)

There are two types of dynamic management views and functions: 

1. Server-scoped dynamic management views and functions.  These require VIEW SERVER STATE permission on the server. 
2. Database-scoped dynamic management views and functions.  These require VIEW DATABASE STATE permission on the database. 

Dynamic management views and functions have been organized into the following categories.

- Always On [Always On Availability Groups Dynamic Management Views - Functions - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/always-on-availability-groups-dynamic-management-views-functions?view=sql-server-2017)
- Change Data Capture [sys.dm\_cdc\_errors (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/change-data-capture-sys-dm-cdc-errors?view=sql-server-2017)
- Change Tracking [sys.dm\_tran\_commit\_table (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/change-tracking-sys-dm-tran-commit-table?view=sql-server-ver15)
- CLR [Common Language Runtime Related Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/common-language-runtime-related-dynamic-management-views-transact-sql?view=sql-server-2017)
- Database [Database Related Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/database-related-dynamic-management-views-transact-sql?view=sql-server-ver15)
- Page Repair [sys.dm\_db\_mirroring\_auto\_page\_repair (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/database-mirroring-sys-dm-db-mirroring-auto-page-repair?view=sql-server-ver15)
- Execution [Execution Related Dynamic Management Views and Functions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/execution-related-dynamic-management-views-and-functions-transact-sql?view=sql-server-ver15)
- Extended Events [Extended Events Dynamic Management Views - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/extended-events-dynamic-management-views?view=sql-server-ver15)
- File Stream [Filestream and FileTable Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/filestream-and-filetable-dynamic-management-views-transact-sql?view=sql-server-ver15)
- Full Text [Full-Text and Semantic Search Dynamic Management Views - Functions - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/full-text-and-semantic-search-dynamic-management-views-functions?view=sql-server-ver15)
- Index [Index Related Dynamic Management Views and Functions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/index-related-dynamic-management-views-and-functions-transact-sql?view=sql-server-ver15)
- I/O [I/O Related Dynamic Management Views and Functions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/i-o-related-dynamic-management-views-and-functions-transact-sql?view=sql-server-ver15)
- Memory Optimized Tables [Memory-optimized table Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/memory-optimized-table-dynamic-management-views-transact-sql?view=sql-server-ver15)
- Objects [Object Related Dynamic Management Views and Functions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/object-related-dynamic-management-views-and-functions-transact-sql?view=sql-server-ver15)
- Subscriptions [sys.dm\_qn\_subscriptions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/query-notifications-sys-dm-qn-subscriptions?view=sql-server-ver15)
- Replication [Replication Related Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/replication-related-dynamic-management-views-transact-sql?view=sql-server-ver15)
- Resource Governor [Resource Governor Related Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/resource-governor-related-dynamic-management-views-transact-sql?view=sql-server-ver15)
- Security [Security-Related Dynamic Management Views and Functions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/security-related-dynamic-management-views-and-functions-transact-sql?view=sql-server-ver15)
- Server [Server-Related Dynamic Management Views and Functions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/server-related-dynamic-management-views-and-functions-transact-sql?view=sql-server-ver15)
- Service Broker [Service Broker Related Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/service-broker-related-dynamic-management-views-transact-sql?view=sql-server-ver15)
- SQL OS [SQL Server Operating System Related Dynamic Management Views (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/sql-server-operating-system-related-dynamic-management-views-transact-sql?view=sql-server-ver15)
- Transactions [Transaction Related Dynamic Management Views and Functions (Transact-SQL) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/system-dynamic-management-views/transaction-related-dynamic-management-views-and-functions-transact-sql?view=sql-server-ver15)

<span style="color: rgb(0, 204, 153);">Multi-Server Management and Agent Jobs</span>

Multiserver administration can be used to centrally manage and operate SQL Server. Multiserver administration requires that you set up a master server (MSX) and one or more target servers (TSX). Jobs that will be processed on all the target servers are first defined on the master server and then downloaded to the target servers.  This link here: [Create a Multiserver Environment - SQL Server Agent | Microsoft Docs](https://docs.microsoft.com/en-us/sql/ssms/agent/create-a-multiserver-environment?view=sql-server-2017)

## <span style="color:#cc5500;">Performance</span>

This section contains information about managing SQL Server 2016 database engine performance.

### <span style="color:rgb(0, 204, 153);">Monitoring and Tuning for Performance</span>

This page contains information about the tools and methods that let you view current database conditions and track performance as conditions change. Here: [Monitor and Tune for Performance - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/performance/monitor-and-tune-for-performance?view=sql-server-ver15&viewFallbackFrom=sql-server-2017px)

### <span style="color:rgb(0, 204, 153);">Understanding Statistics and Managing Statistics</span>

This page provide information and a description of statics used in SQL Server. Here: [Statistics - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/statistics/statistics?view=sql-server-2016)

### <span style="color:rgb(0, 204, 153);">Performance Monitoring and Tuning Tools</span>

This page contains step-by-step procedures for a variety of tools and techniques that can be used to monitor SQL Server. Here: [Performance Monitoring and Tuning Tools - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/performance/performance-monitoring-and-tuning-tools?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Improve the Performance of Full-Text Queries</span>

This page contains a list of recommendations that will help improve full-text query performance. Here: [Improve the Performance of Full-Text Queries - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/search/improve-the-performance-of-full-text-queries?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Optimizing Your Query Plans with the SQL Server Cardinality Estimator</span>

This page contains information on how to use cardinality estimator to improve the quality of query plans, and therefore to improve query performance.  Here: [Cardinality Estimation (SQL Server) - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/performance/cardinality-estimation-sql-server?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Stretch Database</span>

This page contains information on the architecture of stretch database along with the benefits of implementing it.  Here:  [Stretch Database - SQL Server Stretch Database | Microsoft Docs](https://docs.microsoft.com/en-us/sql/sql-server/stretch-database/stretch-database?view=sql-server-2017)

1. <span style="color: rgb(204, 85, 0); font-size: 14px;">Security</span>

This section provides links that help you locate the information you need to operate and manage your SQL Server environment more securely.

### <span style="color:rgb(0, 204, 153);">Securing SQL Server</span>

This general overview page [Securing SQL Server - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/security/securing-sql-server?view=sql-server-2017) provides information how to secure the SQL Server platform and how to work with users and securable objects.

Examples include:

- Renaming the ‘sa’ login.
- Use domain groups provision access to SQL Server.
- Avoid using built-in roles like db\_datawriter, db\_datareader, or any db\_\*, to grant permission to SQL Server databases.

### <span style="color:rgb(0, 204, 153);">DISA SQL Server STIGs</span>

This section is provided as a courtesy to customer using SQL Server in the US Federal, State, and Local Goverments and may not apply to your jurisdiction.  [DISA](https://disa.mil/) published the Secure Technical Implementation Guide (STIG) [Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange](https://public.cyber.mil/stigs/) for SQL Server [Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (stigviewer.com)](https://stigviewer.com/stig/microsoft_sql_server_2012_database_instance/).  Microsoft Services completed the Security Requirements Guide (SRG) [SRG / STIG Library Compilations – DoD Cyber Exchange](https://public.cyber.mil/stigs/compilations/) vendor-response form offering guidance to DISA on how-to secure and harden SQL Server 2016 to meet the NIST requirements.  While DISA solely owns and manages the STIGs, many vendors do have concerns how their products are portrayed by the Federal Government and how NIST & the DoD mandate products secure configuration.  For this iteration of the SQL STIG, Microsoft US Public Sector Services was able to recommend a significant amount of technical guidance for securing SQL Server 2016.  

Below are 12 SQL STIG related operational concerns and recommendation facets of SQL STIG compliance. Unique SQL STIG related operational and support items are summarized below.

- Network Settings
    - Ports and Protocols. Ensure baseline and configuration control (ports do not more or change).
    - DoD PKI.  Check certificate for expirations via automated job or regular review
    - SSL and TLS.  Ensure the setting is set and does not change.
- SQL Server Encryption
    - Keys and key management
    - Check for new keys or changes to existing keys and backup.
    - TDE. Monitor for and encrypt new databases.
    - Always Encrypted.  Ensure backup of encryption keys.
- Authentication and Authorization
    - Windows Authentication. Ensure instance-level authentication mode does not change
    - Login and User baseline. Regularly review and update baseline of logins, users, and roles. As well, ensure any new logins and roles are replicated to AG partners (availability concern).
    - Shared Accounts (including NT Authority\\SYSTEM). Monitor the database system and ensure no unauthorized shared accounts are created or used.
    - Database Ownership. Ensure only authorized principals own databases (and accounts can be disabled)
    - Contained Databases
    - Proxies. Ensure only authorized
- Logic Modules and Programmability Baseline
    - External Logic Modules. Monitor the systems to ensure no unauthorized external logic modules are used.
    - Access Control
    - Baseline
    - Table Versioning
    - Trustworthy
    - SQL Injection
- Reducing Attack Surface
    - Components installed (Feature inventory)
    - XPs
    - CLR and External Assemblies
    - Linked Servers
- Auditing and Alerting
    - SQL Audits. SQL Server can track changes or access to the system and its databases. This section explains how to implement auditing in SQL Server.  The DISA SQL Server STIG require extensive auditing and alerting for SQL Server be performed with the SQL Audits. Please see the DISA SQL STIG and the US PubSec guides for installation and hardening of SQL Server for more information.
    - Alerting
    - Error Log Management and Log Archive Maintenance (AuditDW)
- Patching and OS Related Checks
    - Permissions
    - Privileged OS Access
    - FIPS Compliance
    - Service Settings and Alerting
    - Local Rights Assignments
    - Registry Audits
- Session Management
    - Session Security (Confidentiality)
    - Common Criteria
    - Logon Trigger or Session Limit
- Data Labeling and Row-Level Security
    - Labeling of Data
    - Row-Level Security
    - Error Message Security
    - Auditing Access to Data and Tables
- Telemetry
    - Review All
    - Disabling
- Backups and Recovery
    - Setup Backups
    - Verify Backup
    - HA/DR
    - Recoverability
    - Log Settings
    - Database Settings
    - Data Migration and Scrubbing
- Dashboards and Monitoring
    - HIPS IPS/IDS/AV (and Exclusions)
    - Threat and malicious anomaly detection

### <span style="color:rgb(0, 204, 153);">Password Policy and Strong Passwords</span>

US PubSec DoD servers often have platform-level operation system configs (OS configurations) setting Password Enforcement Policies and use of strong passwords.  See DISA Windows Server STIG for more information. [Microsoft SQL Server 2012 Database Instance Security Technical Implementation Guide (stigviewer.com)](https://stigviewer.com/stig/microsoft_sql_server_2012_database_instance/)

### <span style="color:rgb(0, 204, 153);">SQL Server Certificates and Asymmetric Keys</span>

Certificates are secure objects that can "sign" other objects and connections. This section describes certificates and how to implement them here: [SQL Server Certificates and Asymmetric Keys - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/security/sql-server-certificates-and-asymmetric-keys?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">SQL Server Encryption</span>

Encryption is the process of changing data to hide its original meaning through the use of an encryption algorithm.  SQL Server can use encryption for connections, code, and data.  This section explains how to implement encryption in SQL Server here: [SQL Server Encryption - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/sql-server-encryption?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Row-Level Security</span>

Row-Level Security enables customers to control access to rows in a database table based on the characteristics of the user executing a query.  This page describes use cases, best practices and implementation examples of row-level security in SQL server here: [Row-Level Security - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/security/row-level-security?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Always Encrypted</span>

Always Encrypted is a feature designed to protect sensitive data, such as credit card numbers or national identification numbers (e.g. U.S. social security numbers), stored in Azure SQL Database or SQL Server databases.  This page outlines the typical usage scenarios and steps to implement Always Encrypted here: [Always Encrypted - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017)

### <span style="color:rgb(0, 204, 153);">Dynamic Data Masking</span>

Dynamic Data Masking limits sensitive data exposure by masking it to non-privileged users.  This page explains how to define Dynamic Data Masking, common use cases and best practices along with implementation examples here: [Dynamic Data Masking - SQL Server | Microsoft Docs](https://docs.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-2017)