TITLE: Microsoft SQL Server Management Studio
------------------------------

Failed to retrieve data for this request. (Microsoft.SqlServer.Management.Sdk.Sfc)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&LinkId=20476

------------------------------
ADDITIONAL INFORMATION:

An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
------------------------------

The server principal "my_db_user" is not able to access the database "any_other_db_on_the_server" under the current security context. (Microsoft SQL Server, Error: 916)

For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=09.00.1399&EvtSrc=MSSQLServer&EvtID=916&LinkId=20476

This is something similar to the image below:

Error Connecting to MS SQL 2005 DB Remotely Management Studio 2008

This error happen to appear while remotely connecting a database on Microsoft SQL server 2005 with any version of Microsoft SQL Server Management Studio 2008, It will not appear if you connect the SQL server 2005 with Microsoft SQL Server Management Studio Express 2005. And the link that has been specified in the error above is of any no use, also the error started to be reported more for a Windows Shared hosting clients rather than the one with Windows dedicated server. Because the problem only appears to happen if you connect with a user that has access to a particular database and not with the user that has administrator access over the Microsoft SQL server. I had to scratch my head for the solution as it seems to be related more to the permissions on the database user. Now the interesting thing here is that the SQL database that in the error is different than the MSSQL database on which the user has its access on.

After allot of searching on the web I found that this is a bug on all versions of Microsoft SQL Server Management Studio (Express) 2008 and there is a simple work around to access your database remotely with no errors at all. Here is what that is required:

1) Connect to the MS SQL server with the user credentials in MSSMS (Express) 2008.
2) Bring Object Explorer Details window by selecting View –> Object Explorer Details in menu (or just by hitting F7)
3) In Object Explorer window click at Databases folder
4) In Object Explorer Details Window right-click at the column header and deselect Collation
5) Refresh Databases folder.

Refer to the image below for better understanding:

Fix Failed to retrieve data for this request Error: 916 Management studio

That is it. This will give you the desired access over your database and you will be happily make changes as per your need.
This is just another complicated error by Microsoft which has a very simple fix.

We understood that the problem was not with the mssql.domain_name link but the virus alert only happened after click on ASP .NET Enterprise Manager, Recomended this site. And the link was:

www.referralplanet.com/referral/windows/referralWindow.asp?id=17

Since the site was not hosted with us we had a sigh of relief that the problem is not with the server however we thought we still have a security problem if the link has been injected into ASP .NET Manager site in IIS, may be due to a security issue with Plesk control panel. And after checking several servers we came to know that the problem has happened to the site that is recommended on MSSQL Webadmin site and not the server.

If you want to remove this link from your server as well as from the MSSQL WebAdmin site then follow the steps below:

1. Login into the server through RDP with Administrator user.
2. Go to D:\inetpub\vhosts\sqladmin\mssql\app
3. Open the navbar.aspx page in notepad
4. Go to line number 119 and remove the code below:

<!-- Begin ReferralPlanet.com Referral Script -->
<a onclick="refWindow=window.open('http:// www.referralplanet.com/referral/windows/referralwindow.asp?id=18','referralWindow' ,'width=350,height=520,scrollbars=yes,menubar=no,resizable=yes'); refWindow.focus(); return false;" target=_blank href="http:// www.referralplanet.com/referral/windows/referralWindow.asp?id=17">
<IMG alt="Click Here To Tell A Friend" src="images/tellafriend.gif" border=0></A>
<!-- Begin ReferralPlanet.com Referral Script -->

5. Save the file and exit.

This problem must have infected millions of computer in the world. Let see when chinese hacker stop putting their shit on other’s website and get mature.

ASP.NET, a higher version of ASP, is a programming framework used to create enterprise-class Web Applications. These applications are available to the entire world providing efficient information to their end users. ASP .NET has far more advantages than just a next version of ASP. And it is easily available to configure and use no matter if you have a Dedicated server or a Shared hosting account.

Why to use ASP.NET?

Microsoft has worked well to shift their focus on Internet world from a Windows based platform since 1995 and finally Microsoft introduced Active Server Pages (ASP) in 1996 that was much easy to understand than the orthodox languages like Java, C++ and Perl as it offered the efficiency of ISAPI applications. However ASP scripts were difficult to debug and main, since it consisted unstructured code and interpreted script. ASP also made it difficult for developer to ingrate the web development software as it required to understand many different technologies. If the web application grew more complex and bigger it became harder to maintain as the number of line in source code increased dramatically, specially when you host your application on a Shared hosting server. Therefore, a need of an architecture was required that would allow development of Web application in a consistent way.

A new technology .NET framework was introduced with the intention to provide globally distributed software with Internet functionality and interoperability. The .NET Framework includes multiple language support and consists of many class libraries with a common execution point. .NET framework provides a high level of flexibility allowing to development a top class web application that does different things. ASP .NET is built into this framework which allows a developer to crate a web application using any of the built-in languages. Making it easy to develop an Internet based web application.

ASP.NET uses the Common Language Runtime (CLR) provided by the .NET Framework which is not available in ASP. Execution of the code we rite is managed by this CLR. ASP.NET code is a compiled CLR code instead of interpreted code (ASP). The CLR makes development of Web applications simple and also allows objects written in different languages to interact with each other.

Advantages of Using ASP.NET:

• ASP.NET reduces the code drastically that is required to build large applications
• ASP.NET makes for easy deployment. There is no need to register components because the configuration information is built-in
• ASP.NET, with an event-driven, server-side programming model makes development simpler and easier to maintain.
• The pages have lots of power and flexibility by this approach since the source code is executed on the server.
• The Web server continuously monitors the pages, components and applications running on it. If it notices memory leaks, infinite loops, other illegal software or activities, it seamlessly kills those activities and restarts itself
• Execution of .NET application is fast as the Web Server compiles the page the first time it is requested. The server saves the compiled version of the page to use it next time the page is requested
• ASP.NET applications are more secure as only the HTML produced by the ASP .NET page is sent back to the browser and the application source code you write is not sent and is not easily stolen
• ASP.NET pages are easy to write and maintain because the source code and HTML are together
• ASP.NET applications run faster and counters large volumes of users without performance problems
• ASP .NET validates information (validation controls) entered by the user without writing a single line of code
• ASP.NET is compatible with ADO.NET using data-binding and page formatting features.

1. SQLOS: which implements the basic services required by MS SQL Server, including thread scheduling, I/O stat management and memory management.

2. Relational Engine: which implements the relational database components including support for databases, tables, queries and stored procedures as well as implementing the type system.

3. Protocol Layer: which exposes the MS SQL Server functionality.

SQLOS

SQLOS is the base component in the Windows SQL Server architecture. It implements functions normally associated with the Operating System, thread scheduling, memory management, I/O management, buffer pool management, resource management, synchronization primitives and locking, and deadlock detection. Because the requirements of Windows SQL Server are highly specialized, it implements its own memory and thread management system, rather than using the generic one implemented in the OS. SQLOS also includes synchronization primitives for locking as well as monitoring for the worker threads to detect and recover from deadlocks.

SQLOS handles the memory requirements of MS SQL Server as well. Reducing disc I/O is one of the primary goals of specialized memory management in SQL Server. It maintains a buffer pool, which is used to cache data pages from the disc, and to satisfy the memory requirements for the query processor, and for other internal data structures. SQLOS monitors all the memory allocated from the buffer pool, ensuring that the components return unused memory to the pool, and shuffles data out of the cache to make room for newer data. For changes that are made to the data in buffer, SQLOS writes the data back to the disc lazily, that is when the disc subsystem is either free, or there have been significant numbers of changes made to the cache, while still serving requests from the cache. For this, it implements a Lazy Writer, which handles the task of writing the data back to persistent storage.

WIndows SQL Server normally supports up to 2 GB memory on x86 hardware, though it can be configured to use up to 64 GB if the Address Windowing Extension is used in the supporting operating system. For x64 hardware, it supports 8 TB of memory, and 7 TB for IA-64 systems (currently it is limited by Windows Server 2003 SP1 to 1TB). However, when running x86 versions of SQL Server on x64 hardware, it can access 4 GB of memory without any special configuration.

Relational Engine:

The Relational engine implements the relational data store using the capabilities provided by SQLOS, which is exposed to this layer via the private SQLOS API. It implements the type system, to define the types of the data that can be stored in the tables, as well as the different types of data items (such as tables, indexes, logs etc) that can be stored. It includes the Storage Engine, which handles the way data is stored on persistent storage devices and provides methods for fast access to the data. The storage engine implements log-based transaction to ensure that any changes to the data are ACID compliant. It also includes the query processor, which is the component that retrieves data. MSSQL queries specify what data to retrieve, and the query processor optimizes and translates the query into the sequence of operations needed to retrieve the data. The operations are then performed by worker threads, which are scheduled for execution by SQLOS.

Protocol Layer:

Protocol layer implements the external interface to MS SQL Server. All operations that can be invoked on MSSQL Server are communicated to it via a Microsoft-defined format, called Tabular Data Stream (TDS). TDS is an application layer protocol, used to transfer data between a database server and a client. Initially designed and developed by Sybase Inc. for their Sybase MS SQL Server relational database engine in 1984, and later by Microsoft in Microsoft MS SQL Server, TDS packets can be encased in other physical transport dependent protocols, including TCP/IP, Named pipes, and Shared memory. Consequently, access to MSSQL Server is available over these protocols. In addition, the MSSQL Server API is also exposed over web services.

Pros and Cons to Windows 2003 Clustering and Load Balancing:

You could now be asking yourself, which is better to implement, Windows clustering or load balancing hosting? To give you a quick rundown of the high-level pros and cons to each technology, consider the following. With Windows cluster hosting, you depend on the actual clustered nodes to make a decision about the state of the network and what to do in a failure. If Node A in a cluster senses a problem with Node B (Node B is down), then Node A comes online. This is done with heartbeat traffic, which is a way for Node A to know that Node B is no longer available and it must come online to take over the traffic. With load balancing, a single device (a network client) sends traffic to any available node in the load-balanced group of nodes. Load balancing uses heartbeat traffic as well but, in this case, when a node comes offline, the “load” is recalculated among the remaining nodes in the group. Also, with clustering (not load balancing), you’re normally tied down or restricted to a small number of participating nodes. For example, if you want to implement a clustered solution with Windows 2003 Advanced Server, you might use a two-node cluster. With load balancing, you can implement up to 32 nodes and, if you use a third-party utility, you can scale way beyond that number. You can even mix up the operating system (OS) platforms, if needed, to include Sun Solaris or any other system you might be running your services on. Finally, you have the option to set up tiered access to services and to mix both architectures (clustering and load balancing hosting) together. You can set up the first tier of access to your web servers as load balanced and the last tier of access as your clustered SQL databases.

With eukhost we have expertise for any feature as per your hosting requirement. We can also setup Windows Dedicated Cluster hosting along with Plesk control panel, this is something that only eUKhost can provide.

We read allot of articles on how one can use MRTG as an Intrusion detection tool or to creating traffic graph for a particular network subnet or a single IP address on Linux platform with Apache web server. But we find very few that allow us to have graphs on Windows Dedicated server with IIS Web Server.

Here are some steps that can be used to create graphs on Windows Dedicated server with IIS as the web servers. And there is no need to take all the efforts to configure MRTG as we can simply have graphs with the use of logparser and the RRDtool from Tobias Oetiker and you can use the RRDtool perfectly without the rest of MRTG.

Logparser

Logparser is a great free tool from Microsoft. It is written by Gabriele Giuseppini a Software Design Engineer from the test department. The first version of logparser was an internal testing tool inside Microsoft. Version 2 was made publicly available at the website, version 2.1 was a part of the IIS resource tools kit and version 2.2 was made available in January 2005.

Here is a brief introduction how logparser works:

Logparser need three things, an input format, an output format and a sort of SQL query. The SQL query is a dialect of SQL.

There are few very interesting articles on Microsoft’s website, one written by the Author himself:
How to use Logparser
Another one from Scripting Guys:

The article from the scripting guys shows you how to use the logparser directly in a script with a com object.

You can download Logparser from the link below:
DOWNLOAD LOAGPARSER

The above download has portable help file in the application directory. This help file give you the parameters of all the properties of the logparser.
There is also an unofficial website specially for logparser:
www.logparser.com

About RRDtool.

What is the RRDtool:

The RRDtool or Round Robin Database tool is a tool that can store date in a database and create graphs with it. The really great thing about RDDTool is that the database does not growing. It will stay almost the same size as when it was created.

On the RRD website
RRDTool Website
there are some really good tutorials, and it is recommended to read them before you use the RRDtool.
From this website you can also download the RRDtool, the only problem is that you need to compile it but if you download it with the MRTGbundle from the link below, it has a completed version of the RRDtool in the packet. If you unpack the MRTGbundle, you can copy the RRDtool directory to your scripting directory or your application directory and start using it.
DOWNLOAD RDDTool Compiled Version

Create Database.

Before you can use the RRDtool you need to create the database.
The link below has all the information on how and why to create a database along with the parameters.
How to create a database
Parameters

You can also use a script to do that.


‘#start script.
Set WshShell = WScript.CreateObject("WScript.Shell")
strCMD = ".binrrdtool.exe create Eservicing.rrd"
strCMD = strCMD & " --start N "
strCMD = strCMD & " -s 300"
strCMD = strCMD & " DS:Hits:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error400:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error500:GAUGE:600:0:2000000"
strCMD = strCMD & " RRA:AVERAGE:0.5:1:288"
strCMD = strCMD & " RRA:AVERAGE:0.5:2:2016"
strCMD = strCMD & " RRA:AVERAGE:0.5:4:2232"
strCMD = strCMD & " RRA:AVERAGE:0.5:12:8760"

WshShell.Run strCMD
‘#end script.

Here is an explanation of every command in the script:

Set WshShell = WScript.CreateObject("WScript.Shell")
This line create a shell object you need to run the RRDtool .
In the next 10 lines I create the command line that I run in the last line.

strCMD = ".binrrdtool.exe create Eservicing.rrd"
this starts the RRDtool with the create function and give the name of the database.

strCMD = strCMD & " --start N "
–start set the start time of the database and N is the current time. The RRDtool works with Unixtime, this are the seconds from 1 January 1970.

strCMD = strCMD & " -s 300"
-s is the seconds between a database update.

strCMD = strCMD & " DS:Hits:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error400:GAUGE:600:0:2000000"
strCMD = strCMD & " DS:Error500:GAUGE:600:0:2000000"
with this three lines I create three data sources. DS stands for data source, Hits is the name of the data source GAUGE is one of the four type’s of data sources, 600 are the seconds between the records if there is no input after 600 the value is NULL, 0 is the minimum value of the record and 200000 is the maximum value.

strCMD = strCMD & " RRA:AVERAGE:0.5:1:288"
strCMD = strCMD & " RRA:AVERAGE:0.5:2:2016"
strCMD = strCMD & " RRA:AVERAGE:0.5:4:2232"
strCMD = strCMD & " RRA:AVERAGE:0.5:12:8760"
this four lines create four Round Robin Archives. RRA stands for Round Robin Archive, AVERAGE is one of the four consolidation functions, 0.5 is the consolidation interval, 1 is the number of data sources that are consolidate in one record in the Round Robin Archive. If every 600 seconds a DS is created and the value is 4 instead of 1 every 2400 seconds there will be a record add to the archive, the last value is the number of records the archive contains.
The first line create a Round Robin Archive with a consolidation interval of 0.5. every data source gets a record in the archive and the archive is 288 records long.

WshShell.Run strCMD
And with this line the command is executed.

Update database.

With the next script we use logparser to evaluate the logfile from a IIS server. We can run this script every 5 minutes. To write the results in RRD database.

‘#start script
Const ForReading = 1, ForWriting = 2, ForAppending = 8
'-------------------------------------------------------------------------
LogDir = "serverd$logsyswwwsiteW3SVC1"
Set WSHShell = CreateObject("Wscript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
Set objLogParser = CreateObject("MSUtil.LogQuery")
Set objDictIISlogslist = CreateObject("Scripting.Dictionary")

Dim strDate
Dim count
Error400 = 0
Error500 = 0
‘————————————————————————-
Main
‘————————————————————————-
‘————————————————————————-
Sub Main
Call MakeStrDate
Call GetUniqueHits
Call GetStatus
Call UpdateRRD
End Sub
‘————————————————————————-
‘ —————————————————————————-
Sub MakeStrDate
strMonth = Month(Now)
If Len(strMonth) = 1 Then
strMonth = “0″ & CStr(strMonth)
End If
strDay = Day(Now)
If Len(strDay) = 1 Then
strDay = “0″ & CStr(strDay)
End If
strYear =Right(Year(Now),2)
strDate = strYear & strMonth & strDay
End Sub
‘ —————————————————————————-
‘————————————————————————-
Sub GetUniqueHits
Set objInputFormat = CreateObject(“MSUtil.LogQuery.IISW3CInputFormat”)
objInputFormat.recurse = -1
objInputFormat.iCheckPoint = strDate & “.lpc”
strQuery = “SELECT count(*) as UniqueHits FROM ‘” & _
LogDir & “ex” & strDate & “.log’”
Set objRecordSet = objLogParser.Execute(strQuery, objInputFormat)
Do While Not objRecordSet.AtEnd
Set objRecord = objRecordSet.GetRecord
count = objRecord.GetValue(“UniqueHits”)
objRecordSet.MoveNext
Loop
End Sub
‘————————————————————————-
‘————————————————————————-
Sub GetStatus
Set objInputFormat = CreateObject(“MSUtil.LogQuery.IISW3CInputFormat”)
objInputFormat.recurse = -1
objInputFormat.iCheckPoint = strDate & “Error.lpc”
strQuery = “SELECT sc-status , COUNT(*) as Hits FROM ‘” & LogDir & “ex” & strDate & “.log’ WHERE sc-status > 399 GROUP BY sc-status ORDER BY Hits DESC”
Set objRecordSet = objLogParser.Execute(strQuery, objInputFormat)
Do While Not objRecordSet.AtEnd
Set objRecord = objRecordSet.GetRecord
If objRecord.GetValue(“sc-status”) > 399 And objRecord.GetValue(“sc-status”) < 500 Then
Error400 = Error400 + objRecord.GetValue(“Hits”)
End If
If objRecord.GetValue(“sc-status”) > 499 And objRecord.GetValue(“sc-status”) < 600 Then
Error500 = Error500 + objRecord.GetValue(“Hits”)
End If
objRecordSet.MoveNext
Loop

End Sub
‘————————————————————————-
‘————————————————————————-
Sub UpdateRRD
strRun = “.binrrdtool update Eservicing.rrd N:” & count & “:” & Error400 & “:” & Error500
X = WshShell.Run(strRun,0,True)
End Sub
‘————————————————————————-
‘#end script

We will not explain this script line by line as it is a pretty simple script.

Creating a Graphic with the RRDtool.

With the next script I create a graphic with the RRDtool.

Set WshShell = WScript.CreateObject("WScript.Shell")

strCMD = “.binrrdtool graph .graphintranetNLweek.gif”
strCMD = strCMD & ” –start N-1w –end N”
strCMD = strCMD & ” –vertical-label ” & Chr(34) & “Hits ” & Chr(34)
strCMD = strCMD & ” –title INTRANET”
strCMD = strCMD & ” DEF:Xhits=.databaseintranetNL.rrd:Hits:AVERAGE”
strCMD = strCMD & ” DEF:Xerror400=.databaseintranetNL.rrd:Error400:AVERAGE”
strCMD = strCMD & ” DEF:Xerror500=.databaseintranetNL.rrd:Error500:AVERAGE”
strCMD = strCMD & ” LINE2:Xhits#FF0000:” & Chr(34) & “Hits” & Chr(34)
strCMD = strCMD & ” LINE2:Xerror400#00FF00:” & Chr(34) & “400 Errors” & Chr(34)
strCMD = strCMD & ” LINE2:Xerror500#0000FF:” & Chr(34) & “500 Errors” & Chr(34)

WshShell.Run strCMD

You will make a note of 2 important thing in this script:
1. The DEF line: this line defines the Data Sources you use.
2. The LINE2: This defines the line in the graphic.

This would only happen if the Cluster services has been installed before installing and configuring MSDTC Service. Hence it is highly recommended that you first install and configure MSDTC and then configure the Windows Cluster Service.

Event ID: 4097
Description:
MS DTC started with the following settings: Security Configuration (OFF = 0 and ON = 1): Network Administration of Transactions = 1, Network Clients = 0, Distributed Transactions using Native MSDTC Protocol = 1, Transaction Internet Protocol (TIP) = 0, XA Transactions = 1.

OR

Event ID: 4395
Description:
MSDTC detected that MSDTC related information in the local registry is different from that in the shared cluster registry. Error Specifics: d:ntcomcom1xdtcsharedmtxclumtxclusetuphelper.cpp:541, CmdLine: C:WINNTSystem32msdtc.exe, Pid: 796
Data:
0000: 05 40 00 80 .@.?

OR

Event ID: 4384
Description:
MS DTC was unable to start because the installation was not configured to run on a cluster. Please run comclust.exe and restart MS DTC. Error Specifics: d:ntcomcom1xdtcsharedmtxclumtxclusetuphelper.cpp:668, CmdLine: C:WINNTSystem32msdtc.exe, Pid: 796

OR

Event ID : 7024
Source : Service Control Manager
Description: The MSDTC service terminated with service specific error 3221229584.

Initially you should try and run the command below and check if it solves the problem:

msdtc -resetlog

If that does not help then follow the fix below:

1. Delete the DTC resource
2. Delete MSDTC folder from the quorum disk.

On Node 1:

– Stop the Cluster Service

– Remove Enable network DTC  Service with the command below:

msdtc -uninstall

Make sure to check the Success in the Event logs.

– Verify that the following registry key has been removed as well.. if not then remove it manually.

HKEY_CLASSES_ROOTCID
HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSDTC
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMSDTC

– Reboot the Server

– After the Server is back online reinstall Enable network DTC Service with the command below:

msdtc -install

Now create the DTC resource on Node 1 and it should come online.

Now on Node 2

– Stop the Cluster Services.

– Evict Node 2 from the Cluster

– Remove Enable network DTC  Service with the command below:

msdtc -uninstall

Make sure to check the Success in the Event logs.

– Verify that the registry key has been removed as well.. if not then remove it manually.

– Reboot

– Reinstall Enable network DTC Service with the command below:

msdtc -install

– Verify that the Service has now Started and also registry keys created.

– Rejoin the node back into the cluster.

Software Requirements

•    Microsoft Windows Server 2003 Enterprise Edition or Windows Server 2003 Datacenter Edition installed on all dedicated servers in the cluster.
•    A name resolution method such as Domain Name System (DNS), DNS dynamic update protocol, Windows Internet Name Service (WINS), HOSTS, and so on.

•    An existing domain model.
•    All nodes must be members of the same domain.
•    A domain-level account that is a member of the local administrators group on each node. A dedicated account is recommended.

Hardware Requirements

•    Clustering hardware must be on the cluster service Hardware Compatibility List (HCL). To find the latest version of the cluster service HCL, go to the Windows Hardware Compatibility List at http://www.microsoft.com/hcl/, and then search for cluster. The entire solution must be certified on the HCL, not just the individual components.

•    Two mass storage device controllers—Small Computer System Interface (SCSI) or Fibre Channel. A local system disk for the operating system (OS) to be installed on one controller. A separate peripheral component interconnect (PCI) storage controller for the shared disks.
•    Two PCI network adapters on each node in the cluster.
•    Storage cables to attach the shared storage device to all computers. Refer to the manufacturers instructions for configuring storage devices..
•    All hardware should be identical, slot for slot, card for card, BIOS, firmware revisions, and so on, for all nodes. This makes configuration easier and eliminates compatibility problems.

Network Requirements

•    A unique NetBIOS name.
•    Static IP addresses for all network interfaces on each node.
•    Access to a domain controller. If the cluster service is unable to authenticate the user account used to start the service, it could cause the cluster to fail. It is recommended that you have a domain controller on the same local area network (LAN) as the cluster is on to ensure availability.
•    Each node must have at least two network adapters—one for connection to the client public network and the other for the node-to-node private cluster network. A dedicated private network adapter is required for HCL certification.
•    All nodes must have two physically independent LANs or virtual LANs for public and private communication.
•    If you are using fault-tolerant network cards or network adapter teaming, verify that you are using the most recent firmware and drivers. Check with your network adapter manufacturer for cluster compatibility.

Shared Disk Requirements:

•    An HCL-approved external disk storage unit connected to all computers. This will be used as the clustered shared disk. Some type of a hardware redundant array of independent disks (RAID) is recommended.
•    All shared disks, including the quorum disk, must be physically attached to a shared bus.
•    Shared disks must be on a different controller then the one used by the system drive.
•    Creating multiple logical drives at the hardware level in the RAID configuration is recommended rather than using a single logical disk that is then divided into multiple partitions at the operating system level. This is different from the configuration commonly used for stand-alone servers. However, it enables you to have multiple disk resources and to do Active/Active configurations and manual load balancing across the nodes in the cluster.
•    A dedicated disk with a minimum size of 50 megabytes (MB) to use as the quorum device. A partition of at least 500 MB is recommended for optimal NTFS file system performance.
•    Verify that disks attached to the shared bus can be seen from all nodes. This can be checked at the host adapter setup level. Refer to the manufacturer’s documentation for adapter-specific instructions.
•    SCSI devices must be assigned unique SCSI identification numbers and properly terminated according to the manufacturer’s instructions.
•    All shared disks must be configured as basic disks.
•    Software fault tolerance is not natively supported on cluster shared disks.
•    All shared disks must be configured as master boot record (MBR) disks on systems running the 64-bit versions of Windows Server 2003.
•    All partitions on the clustered disks must be formatted as NTFS.
•    Hardware fault-tolerant RAID configurations are recommended for all disks.
•    A minimum of two logical shared drives is recommended.

Here is a very simple way to configure a DNS service on Windows Dedicated Server that hosts your website.

Requirements:

1. You should have one of the following Windows OS to install the DNS service:

– Windows XP Professional edition.
– Windows Vista.
– Windows 2003 Server Data center edition.
– Windows 2003 Server Enterprise edition.
– Windows 2003 Server Standard edition.

You cannot install DNS service on Windows 2008 Server with the steps below as it does not have an option to add remove Windows Components. You will have to use the Server Manager option to install Services on your Windows 2008 Server.

I have not specified Windows NT and Windows 2000 version as they are hardly used now a days. Also Windows XP Home edition and Windows 2003 Server Web edition does not support DNS service on them.

2. Windows OS installation CD or the i386 folder.

3. A user that will have Administrator rights on the Dedicated server on which you want to install DNS service.

Installation Steps:

1. Go to Control panel >> Add/Remove Programs >> Add/Remove Windows Components, it will open a windows below:

2. Click Next and you will get the screen,  see below:

3. Select the Networking Server (DO NOT CHECK THE BOX) and Click on Details (Highlighted in red) and you will get screen below:

4. Check Box on Domain Name System (DNS) and Click OK >> then Next. It will start the installation and will popup for the CD:

5. Browse to the i386 folder and then Click OK to complete the installation of DNS Service.

DNS Service and ZONE Configuration:

1. G oto Start >> Run and type the command below and hit enter:

dnsmgmt.msc

2. This will open DNS Management Console:

3. Before making any changes on the DNS server I will show you some steps that will make your life as well as the configuration very easy.
A. We will assume that we have to crate a DNS zone for the domain www.moosa.com. For that just go to C:WINDOWSsystem32dns directory (Path to WINDOWS may differ as per the OS you use, you can find it with %windir% or %SystemRoot% in the explorer)
B. Create an empty file as moosa.com.dns.
C. Insert the entire code into it:
——–

;
; Database file moosa.com.dns for moosa.com zone.
; Zone version: 1
;

@ IN SOA NS1.moosa.com. info.moosa.com. (
1 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; default TTL

;
; Zone NS records
;

@ IN NS NS1.moosa.com.
@ IN NS NS2.moosa.com.

;
; Zone records
;

@ IN A 192.168.5.52
mail IN A 192.168.5.72
www IN CNAME moosa.com.
ftp IN CNAME moosa.com.

;
; Zone Mail records
;

@ IN MX 10 mail.moosa.com.

——-
Let me explain each entry one by one briefly, you will have to change each of them as per your requirement:

– NS1.moosa.com. in SOA : This is the primary name server of my domain moosa.com. It is not compulsory that you too may have name server on your domain. But it should be the one from the set of name servers that you provide to your registrar to point your domain on your server.

– info.moosa.com. in SOA: This is actually an email address info @ moosa.com, it is provided for the DNS server to send notification of that is a problem within the zone.

– You can forget the rest in SOA as it will require a separate topic to explain those.

– NS1.moosa.com. in NS: This is again a primary name server that was provided to registrar.

– NS2.moosa.com. in NS: This a secondary name server of my domain moosa.com.
It is not over here, you can even have 3rd and 4th NS entry here. A zone will accept up to 13 NS entries for a single domain.

– ‘A’ records: ‘A’ record has the IP address that you want your domain to point at. This will probably the IP address of your web server or a mail server. I have 2 A records for moosa.com and mail.moosa.com, one for the IIS web server and other for the Exchange mail server.

– CNAME: CNAME are the canonical names for a domain or duplicate names. I have 2 CNAME so that www.moosa.com and ftp.moosa.com will point to the same IP of moosa.com.

– MX record: MX record will be required for your mails to work. It shows a path to your email server. If you do not have an email server and this record will not be required.

I will not go more deep in each of these settings or this topic will turn into a book.

4. Save the file and close it, make sure that each setting looks exactly the same as that has been defined above or the zone creation will fail.

5. Now go back to DNS Management Console, right click on SERVER NAME to make sure that the DNS service is running. If it is not running then click on Start option to start the service.

6. Right Click on “Forward Lookup Zone” >> New Zone:

7. It will Open the New Zone Wizard, click Next on first screen and then select “Primary zone” and then Next:

8. Put Domain name in “Zone Name” screen, without www in it. and click Next:

9. In the Zone File screen, Select the 2nd option “Use this existing file”. Make sure that the file name and path matches your name and path from the steps above. Then click Next:

10. In “Dynamic Update” screen, select “Do not allow dynamic updates” and click Next:

11. Click Finish on Next screen to create the new domain for your domain:

12. Your zone will appear in the screen below. You wil either double click the existing entries to update/edit/modify them or right click on the white screen to Add new Records as per your need.

DO NOT FORGET TO EITHER RELOAD THE ZONE OR RESTART THE DNS SERVICE FOR THE CHANGES YOU HAVE MADE TO REFLECT.

That is it.. now create another zone and so on..

Wasn’t that damn easy..!!!

This applies to all versions of Windows 2003 and Windows 2008 and also to Vista and XP Professional. This problem normally occurs to our client with Dedicated Server hosting. So I thought I will create a check list to make their hosting service a bit easy.
Yes, you will need physical access to the machine to check this, it is obvious that you will not be able to check this problem unless you have remote access to the server. These steps can only be performed if you have physical access to the dedicated server or through a Keyboard-Video-Mouse [KVM]. So there we go:

* First thing that you need to check is whether the Remote Desktop Console [RDC] is enabled on your server.
Go to Desktop >> My Computer >> Properties >> Remote Tab
Check the box for “Enable Remote Desktop on this computer” and click OK.

* If the above option is enabled then make sure that the user which you are using to connect the server remotely is added in the “Remote Desktop users” group. Administrators are normally added in the group. This can be confirmed from with the steps below:
Go to Desktop >> My Computer >> Mange
Expand Local Users and Group >> Select Group.
Double click on “Remote Desktop Users” Group and make sure that the user is added in here.

* If both the above settings are correct then you need to make sure that TCP port 3389, which is the default port for RDC is enabled in the firewall of the machine that is used to RDP the server. Vise a verse make sure that the server firewall also has this port added in the exception. The best way to check this is:

First make sure that the server listens to telnet, try telnet of any other port which you are sure is working on the server like port 80 or 25. The command would be:

TELNET ip_address 25

If this works then try telnet on port 3389.

TELNET ip_address 3389

* If the telnet is not working then there are several possibilities, it can be the firewall on your machine or the firewall on the server tha is blocking the port. It can also be the case that Terminal Server Service did not start for some reasons. Or in a very rare situation it could be that the RDP port has been changed by some one. We will rectify all the possibilities one by one:

* Check the firewall on your machine or just shut the firewall down and then try the telnet again.

* If you have Windows Firewall then make sure that Remote Desktop is added in Exception.
Goto Start >> All Programs >> Control Panel >> Windows Firewall
If you have a third party firewall your dedicated server then just disable it and try the telnel option.

* If that is not the firewall issue make sure that Terminal Server Service is set to Automatic and is running. This server depends on Remote Procedure Call Service and you get errors while starting the server and you will need to trouble shoot the problem. If the server is terminating unexpectedly then make sure that the Hardware profile of the server is set to “Enable”:

* Sometimes client with Windows Dedicated Hosting package change the RDP port of their server and forget it, the steps below can be used for checking the RDP port as well as changing it as well, these steps will require to make changes in Registry hence it is recommended to backup the registry before following these steps:

Goto Start >> Run
Type: regedit to open the registry editor MMC
Expand to the Key:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]
Modify the value for Key “PortNumber”
Change Base to Decimal

Change Value data to the port your desire for your Dedicated Server
Click OK
Reboot the Machine.

Once the machine is online you will have to define your the port to connect your Dedicated Server remotrly
ip_address:port_number
10.10.10.52:3362

There are 3 types of problems with site preview in Plesk:

1. Site Preview in Windows Plesk will show 404 Page Not Found error
2. Site Preview in Windows Plesk will show Plesk Default page.
3. SitePreview will ask for user name and password.

We will troubleshoot each problem with site preview one by one.

1. Site Preview in Plesk will show 404 Page Not Found error.

Cause: This happens if the sitepreview ISAPI DLL is not loaded correctly in IIS web server.

Troubleshoot steps:
a. First check if a the Virtual folder with the name sitepreview is create in IIS Default Web Site. If it is not created then create it without the application pool and map it to folder “%plesk_dir%isapi”, same as in image below.  Also Make sure that Executable Permissions are set to “Scripts And Executables”

b. Make sure that the Site preview ISAPI DDL is Allowed in Web Exteniosn and look like in image below, if not then Add it in Plesk Extensions.  

c. Also make sure that the Site Preview ISAPI DLL has been loaded with green Arrow in IIS >> Web Site >> Right click >> Properties >> ISAPI Tab. like in the figure below. If it is not loaded then just click on the Add button and browser through “%plesk_dir%isapisitepreview.dll” and restart IIS.

d. If you have IIS7 on Windows 2008 Server then make suer that you have Plesk Site Preview DLL added in IIS >> Click on Server >> IIS Group >> ISAPI Filters.

2. Site Preview in Plesk will show Plesk Default page.

Cause: Related to IP configuration on the server.

Troubleshoot steps:

a. Please fo through all the steps in problem one for this. However the only reason for this problem that I have found is main IP address of the server. Just make sure that you have alleast one site added on the main IP address of the server. To know the main IP address of the server Go to START >> Control Panel >> Network Connections >> Right click on main network adapter >> Click on Properties >> Select TCP IP >> Properties. The IP address list in this windows as IP address is the main IP address of the server. Just make sure that you have atleast one site hosted on this IP address.

The above solution will also apply is Plesk Site Preview option is working with https prefix butnot with http in URL browser.

3. SitePreview will ask for user name and password for all website.

Cause: Related to Permissions and Security Options.

Troubleshoot steps:

a. First check if the URL work fine with the IP address only:

http://192.168.1.52/

if not then there are permissions issue with the default site and if you are using a dedicated IP address instead of shared IP then the problem is with the permissions of the site that holds the dedicated IP.

b. If step “a” is working then try access the link below:
http://192.168.1.52/$sitepreview/

The above link should get redirected to the IP address and show Plesk default page or index.html page in Default Web site but it is is asking for password then permissions on sitepreview virtual directory is not correct. Make sure that IIS_WPG, NETWORK SERVICE, psaadm, psacln & psaserv has read an execute permissions on the virtual folder, do not forget to inherit the permissions to files in it.

c. If it asks password for only one site then the problem should be either with the website permissions or the file you are accessing it.

I think this should cover all the problems with Parallels Plesk Site Preview problems. But if you still face problem and don’t want to use Site Preview then you have try the HACK below.

WINDOWS HACK TO POINT YOUR SITE TO AN IP WITHOUT CHANGING THE NAME SERVERS.

While I was searching for the solution I found the KB articel on Parallels sites below:

http://kb.parallels.com/en/1147

Where they (Plesk adminstrators) have clearly mentioned that custom permissions set on top level folder like httpdocs, statistics, cgi-bin etc will get reset by Plesk. So I decided to make a test, I manually gave write permissions to httpdocs folder and ran webservmng.exe on it and yes it was removed. Then after allot digging I would that there us a file .Security which is saved under the folder with the domain name (parallel to httpdocs folder), that stores all permissions for that domain.

Before we start please be informed that these steps are applicable to Parallel Plesk version 8.4 and above as .Security file was introduced in 8.4 only.

So here are steps to get around the problem permanently:

1. Backup the .Security file and delete it from [drive]:inetpub/vhosts/domain_name, this file saves all the permissions assigned to that user from Plesk on Windows. Deleting it will remove all the records.

2. After renaming or deleting the . Security file, run this command below:

"%plesk_bin%/websrvmng.exe" --reconfigure-vhost --vhost-name=domain_name

3. This command will create a new .Security file with all default permissions on that domain.

4. Now login into Plesk >> Click on Domains >> domain_name >> File Manager >> httpdocs >> golden padlock of folder_name to set perm on >> “Advance” Button >> Select users >> Assign permissions >> OK.

These steps will save new permissions in .Security file and even if you run websrvmng on that domain again, the new permissions that has been set from Plesk will not get removed. There is no need to add any special group or users like, ASPNET or NETWORK SERVICE to any folder as those permissions are handled by IUSR_ & IWAM_/IWPD_ users.

Any permissions that has been assigned directly to httpdocs folder will get reset by Plesk and if you inherit them to sub folder, permissions from sub folder will also get removed.

So the moral is, DO NOT give any permissions from RDP, use File Manager option if you want to keep the trouble of permissions away.

So here we go:

On your local machine, [AND NOT THE SERVER]:
Goto START >> Run >> and Type:
notepad "C:WINDOWSsystem32driversetchosts"
And hit Enter

If you get file does not exist error then create hosts file in notepad “C:WINDOWSsystem32driversetc” folder.

At the end of the file you will have:

127.0.0.1 localhost

Just add your domain with the IP you want to point to, and it will look like, this will be also applicable if you have create a new hosts file:

127.0.0.1 localhost
192.168.1.52 mywebhostingblog.net
192.168.1.52 www.mywebhostingblog.net

Save the file and exit.

Now ping the domain on the computer you have made changes on and it will point to the IP address defined. You can now browse your site without the site preview and you will have to the content of the server you are moving to. Just remove the entries from the hosts file to point your domain back it was.

Wasn’t that Simple..!!!

It would not be the case now as I have listed detailed steps along with the images on how to block IP using the IP security policy in Windows. This option is also available in XP as well as Windows 2003 Server edition.

How to BLock IP Using Windows:

You can either open MMC from START >> RUN >> MMC and add a new Snapin for IP Security policy with steps below:

Click ‘Start’ > ‘Run’ >type ‘MMC’ press ok.
In the console click > ‘File’ > ‘Add/Remove Snap in’
In the ‘Standalone Tab’ click The ‘add’ button
Seclect ‘IP Security Policy Managment’ > ‘ADD’ > ‘Local Computer’ > ‘finish’ > ‘close’ > ‘ok’
You should now be back to the Management console.

OR

Just goto START >> PROGRAMS >> ADMINISTRATIVE TOOLS >> LOCAL SECURITY POLICIES ON LOCAL COMPUTER to open the IP Security Management Console.

1. Select IP Security Policy and Right Click on the right pane to select new Policy. The screen will like an image below:

Figure 1

2. This will open the IP Security Policy Wizard, Just click on Next button.

Figure 2

3. On the Next screen you have to define the name of your IP Security policy and its description and then click Next Button.

Figure 3

4. Plesk uncheck the box for “Activate the default Response Rule” and then click Next Button..

Figure 4

5. On the Next screen remove the check for Edit Properties and Click Finish.

Figure 5

6. Once you click on the Finish Button you will see the screen below along with your rule being added to the list. Now we will create an IP filter list to block IPs.

Figure 6

7. Double click on the rule you have just create to open the properties window:

Figure 7

8. Since we have chosen to uncheck “Activate the default Response Rule” in Step 4 the Dynamic rule in not applied. Click on Add button to open Security Rule Wizard and Click again on Add button to open IP Filter List Wizard.

Figure 8

9. You will have a screen some what in Figure 9. Put in the name of your list and Click on the Add button.

Figure 9

10. This will open another window for you to add IP and ports in the IP Filter list. In the Description box just put in the IP address that you want to block and make sure that you keep the check on the box for “Mirrored. Match packets with the exact appropriate source and destination addresses” and click on the Next button.

Figure 10

11. Select My IP address in the Sources Address from the drop down list.

Figure 11

12. You have many more options to select from the list for both in Sources and Destination Address. You will need some advanced knowledge to work with those option. We will select My IP address for now and click on Next button.

Figure 12

13. In the IP Traffic Destination, select “A specific IP Address” and enter the IP address that you want to block on your machine. Here you can also select a sub net from the drop down and block the entire subnet. Once you finish entering an IP/Subnet, click on Next button.

Figure 13

14. Here in IP Protocol Type you can define the protocol that you want to block, it can be any one from the list for example TCP, UDP, ICMP etc. We will select ANY which mean all connect from a specific IP address. If you select a protocol from the list andclick Next it will ask you to enter the port address that you want to block, example 80 (See Figure 14.2). But since we want to block all ports we will select Any and click Next (Figure 14.1) and then Finish.

Figure 14.1

Figure 14.2

15.  After you click on Finish button you will see that the rule has been added in the IP filter list. If you want to add more IP and subnets then click on the Add button to add another rule or block 2nd IP. Once you finish with it you will have rules as in Figure 15.2.

Figure 15.1

Figure 15.2

16. Once your IP Filter List is complete click on the OK button to get back Security Rule Wizard. Select the IP filter list which you have created by clicking on the radio button and click Next.

Figure 16

17. In the Next screen of Security Rule Wizard you will not see any Filter Action as Block as by default it is not created. We will create a Filter action to block connect by click on Add button.

Figure 17

18. In the Name type “Block” and any discryption you like and click on Next.

Figure 18

19. In Filter Action General options select Block and click Next.

Figure 19

20. And then on Finish to get back to Security Rule Wizard.

Figure 20

21. This will add the Filter option as Block in the list, just click on radio button to select it and click Next.

Figure 21

22. Click Finish to complete the security Rule Wizard.

Figure 22

23. You will see the rule added in the list, you can add more rule with the same steps. Now just click OK to finish with the rules.

Figure 23

24. Now since we have already created the rules to block desired IP address just right click on the IP Security Policy and select Assign to apply the rule on the server.

Figure 24

There are allot many option to secure your entire server with IP security policy. You can create more rules to block every one on RDP port TCP 3389 and allow only select IPs. IP Security is IP and port based application and not Services based and you can create the rule as per your need.

– Backup the Registry of your computer and save it on a safe place.

– Now look for another computer who has the same edition of Windows running on it as that on your computer, along with the Server Pack.

– Backup the below registry key that stores the Service information for Windows Firewall, with the export option:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

– Restore it on the Computer which has the missing service  and Reboot.

Once the computer it online you will see that the Windows Firewall Service/ICS is back in the list and you should be able to manage it again.

P.S: Restoring the key from a computer which does not match your Windows OS edition or Service Pack would make your system unbootable.

Local Group Policy:
Using local Group Policy involves setting up Group Policy on the local machine.This is not very useful for managing computers on a network. Local Group Policy is configured on the local computer.

Site Group Policy:

Site Group Policy is when the Group Policy object is linked to the site. Site Group Policies can generate unwanted network traffic, so use these only when absolutely necessary.

Domain Group Policy:
Domain Group Policy is when the Group Policy object is linked to the domain.This will apply the Group Policy object to all computers and users within a domain.This is especially useful for enforcing company-wide settings.This is one of the two most commonly used applications of Group Policy.

Organizational Unit:
Group Policy When the Group Policy object is linked to the organizational unit (OU). Organizational unit Group Policy is especially useful for applying a Group Policy object to a logical grouping (organizational unit) of users or computers.

When a Windows Server machine logs on to a Windows AD, any legacy Windows 2000 Group Policies will be applied to and work on Windows Server. The new Windows Group Policy snap-in will work on a Windows 2000 AD as well as Windows 2003.You can use the Windows Group Policy snap-in to connect to any Group Policy object in the Active Directory.You can also create a new Group Policy object using this snap-in. When you connect to a GPO using this snap-in, the ADM files are automatically updated using the newer versions of these files found on Windows XP.

Windows has over 200 policies.These policies are reflected in the new ADM files that are updated on the domain.The Windows admin snap-in shows what policies work on which clients. Best practice in a mixed environment: Use the Latest Windows Group Policy snap-in to administer Group Policy because it will display what policies are supported on what clients.

Group Policy Order

When Group Policies are applied in Windows Server, they are applied in a specific order.This is important to note because the order applied can affect the resulting policy. Group Policy is applied in the following order:

■ Windows NT 4 Policies (if any exist)
■ Windows 2000 Policies
■ Local Group Policies
■ Site Group Policies
■ Domain Group Policies
■ Organizational Group Policy Objects (going from Highest Parent in the chain to lowest)

Additionally, the result of all of the applied policies can be determined by using the Resultant Set of Policy (RSOP) snap-in. More information on this topic is covered later in the “Resultant Set of Policy (RSOP)” section. Figure A.1 shows how Group Policy is applied by different organizational units along with the domain Group Policy.

After installing a SQL Server failover cluster, the node hosting the SQL Server resource uses the Service Control Manager to check every 5 seconds whether the SQL Server service appears to be running. This “LooksAlive” check does not impact the performance of the system, but also does not do a thorough check; the check will succeed if the service appears to be running even though it might not be operational. Because the LooksAlive check does not do a thorough check, a deeper check must be done periodically; this “IsAlive” check runs every 60 seconds.

The IsAlive check runs a SELECT @@SERVERNAME Transact-SQL query against SQL Server to determine whether the server can respond to requests. Although a reply to the IsAlive query confirms that the SQL Server service is available for requests, it does not guarantee that all user databases are available, or that the user databases are operating within necessary performance/response-time requirements.

If the IsAlive query fails, the IsAlive health check is retried five times and then it attempts to reconnect to the instance of SQL Server. If all five retries fail, the SQL Server resource fails. Depending on the failover threshold configuration of the SQL Server resource, the failover cluster will attempt to either restart the resource on the same node or it will fail over to another available node. The IsAlive query tolerates a few errors, but ultimately it fails if its threshold is exceeded.

During failover of the SQL Server instance, SQL Server resources start up on the new node. Windows clustering starts the SQL Server service for that instance on the new node and SQL Server goes through the recovery process to start the databases. After the service is started and the master database is online, the SQL Server resource is considered to be up. Now the user databases will go through the normal recovery process, which means that any completed transactions in the transaction log are rolled forward (the Redo phase), and any incomplete transactions are rolled back (the Undo phase). In SQL Server 2005 Enterprise Edition, each user database will be available to the user once the Redo phase completes; for the other editions, as with all previous versions, each user database is unavailable until the Undo phase completes. The length of the recovery process depends on how much activity must be rolled forward or rolled back upon startup. The ‘recovery interval’ sp_configure option of the server can be set to a low number to avoid longer Redo recovery times and to speed up the failover process. The Undo recovery time can be reduced by using shorter transactions so that any uncommitted transactions do not have much to roll back.

Certificates are parallel with asymmetric keys in the SQL Server 2005 encryption hierarchy. A certificate is simply a method of using asymmetric encryption. Certificates bind public keys to individuals who hold the associated private key. Certificates use the same RSA algorithm as asymmetric keys; therefore, they are resource-intensive and their use is normally restricted to encrypting other keys. SQL Server contains an integrated certificate authority, which it uses to issue its own selfsigned, and industry standard X.509 certificates. Alternatively, you can import certificates from an external certificate authority.The use of external certificates allows you to use a wider range of key lengths, which can provide enhanced security. Certificates are the most secure way in which to encrypt data natively within SQL Server 2005.You can use the CREATE CERTIFICATE statement to create a certificate within SQL Server 2005.

The common syntax of the CREATE CERTIFICATE statement is as follows:

CREATE CERTIFICATE CERTIFICATE_NAME [AUTHORIZATION USER_NAME]
{FROM FILE = 'PATH_TO_PRIVATE_KEY'
WITH PRIVATEKEY [, ENCRYPTION BY PASSWORD = 'PASSWORD' |
, DECRYPTION BY PASSWORD = 'PASSWORD']}
WITH SUBJECT = CERTIFICATE_SUBJECT_NAME, |
[START_DATE = MM/DD/YYYY
END_DATE = MM/DD/YYYY]

Here are definitions of the arguments in this syntax:

FILE = PATH_TO_PRIVATE_KEY Specifies the directory and the file name to the private key.
ENCRYPTION BY PASSWORD = ‘PASSWORD’ Specifies the password that will be used to encrypt the certificate private key.
DECRYPTION BY PASSWORD = ‘PASSWORD’ Specifies the password originally used to encrypt the private key.
CERTIFICATE_SUBJECT_NAME A descriptive string that will be embedded into the certificate metadata.
START_DATE Specifies the date in which the certificate becomes valid.
END_DATE Specifies the date in which the certificate expires.

For a full listing of all statement arguments, please refer to SQL Server 2005 Books Online.You will need the CREATE CERTIFICATE permission within the database to create a certificate.The following syntax creates a certificate and encrypts the certificate private key with the supplied password:

CREATE CERTIFICATE Certificate01 ENCRYPTION BY
PASSWORD = '&7YuKj%4@)aSZ@'
WITH SUBJECT = 'Certificate to test encryption',
START_DATE = '8/13/2007',
EXPIRY_DATE = '8/13/2011'

Unlike symmetric and asymmetric keys, certificates can be backed up individually. To back up a certificate, you can use the BACKUP CERTIFICATE statement:

BACKUP CERTIFICATE CERT_NAME TO FILE = 'PATH_TO_FILE'
[WITH PRIVATE KEY
(FILE = 'PATH_TO_PRIVATE_KEY_FILE',
ENCRYPTION BY PASSWORD = 'ENCRYPTION_PASSWORD',
DECRYPTION BY PASSWORD = 'DECRYPTION_PASSWORD')]

Here are definitions of the arguments of this syntax:

CERT_NAME Specifies the name of the certificate to be backed up.
PATH_TO_FILE Specifies the directory path and the filename that will be used for the certificate public key backup.
PATH_TO_PRIVATE_KEY_FILE Specifies the directory path and the filename that will be used for the certificate private key backup.
ENCRYPTION_PASSWORD Specifies the password that will be used to encrypt the certificate private key backup.
DECRYPTION_PASSWORD Specifies the password that will be used to decrypt the certificate private key within the database.

To execute the BACKUP CERTIFICATE you will need the CONTROL permission on the certificate and the VIEW DEFINITION permission on the database. The following syntax uses the BACKUP CERTIFICATE statement to back up both the public and private key of your previously created certificate, and encrypts the private key backup file with a user-supplied password:

BACKUP CERTIFICATE Certificate01 TO FILE =
'C:\backup\certificates\Certificate01.pub'
WITH PRIVATE KEY
(DECRYPTION BY PASSWORD = '&7YuKj%4@)aSZ@',
ENCRYPTION BY PASSWORD = '9UyZ%E!b8%7Ly#',
FILE = 'C:\backup\certificates\Certificate01.prv')

For a complete listing of statement arguments and permission requirements, please see SQL Server 2005 Books Online.To restore a certificate from a backup file, you can use the FROM FILE argument within the CREATE CERTIFICATE statement, which we covered earlier.The following syntax restores your previously backed up public and private key:

CREATE CERTIFICATE Certificate01 FROM FILE =
'C:\backup\certificates\Certificate01.pub'
WITH PRIVATE KEY (FILE = 'C:\backup\certificates\Certificate01.prv',
DECRYPTION BY PASSWORD = '9UyZ%E!b8%7Ly#',
ENCRYPTION BY PASSWORD = '&7YuKj%4@)aSZ@')

Note that if you created Certificate01 previously, you will need to drop the certificate prior to running the preceding syntax.You can obtain a listing of all certificates present in your database by using the sys.certificates view:

Select * from sys.certificates

To change the properties of a certificate you can use the ALTER CERTIFICATE statement:

ALTER CERTIFICATE CERTIFICATE_NAME
REMOVE PRIVATE KEY |
WITH PRIVATE KEY (FILE = 'PATH_TO_PRIVATE_KEY' |
DECRYPTION BY PASSWORD = 'PASSWORD' |
ENCRYPTION BY PASSWORD = 'PASSWORD')
WITH ACTIVE FOR BEGIN_DIALOG = [ON | OFF]

Here are definitions of the arguments of this syntax:

CERTIFICATE_NAME The name of the certificate to be altered.
REMOVE PRIVATE KEY Removes the private key from the certificate.
FILE = ‘PATH_TO_PRIVATE_KEY Specifies the directory and the file name to the private key.
DECRYPTION BY PASSWORD = PASSWORD Specifies the password in which to decrypt the private key.
ENCRYPTION BY PASSWORD = PASSWORD Specifies the password in which to encrypt the private key
ACTIVE FOR BEGIN_DIALOG Enables or disables a certificate for use with Service Broker.

To run the ALTER CERTIFICATE command you will need the ALTER permission on the certificate.The following syntax changes your certificate private key protection method from user-supplied password to database master key:

ALTER CERTIFICATE Certificate01
WITH PRIVATE KEY (
DECRYPTION BY PASSWORD = '&7YuKj%4@)aSZ@')

To encrypt data using the certificate public key, you can use the ENCRYPTBYCERT statement:

ENCRYPTBYCERT (CERTIFICATE_ID, 'PLAINTEXT')

In this statement, CERTIFICATE_ID specifies the ID of the certificate to be used for encryption. PLAINTEXT is the data string you wish to encrypt.

You will need the VIEW DEFINITION permission on the certificate to execute the ENCRYPTBYCERT statement.The following syntax uses the ENCRYPTBYCERT statement to encrypt the supplied string using your certificate:

SELECT ENCRYPTBYCERT(Cert_ID('Certificate01'), 'certificate encryption test')

Here are the results:

0x50BCA9702D6999578923DAEC2B3EE96E69174429EBF54C392A532919679624097CD050110CEEF4DDB3BF
22656549268848C2F6E6BA70C0E543DFB411B654302AB9582A525DB835940FB76F9AAC501BBC5E3D689FB0
431BA7AF3C51A4DCDC5BCB7D101324E466A23447DF916E80D026E2A2E6D5A433E75804ADF8E9B75BF0E097

As we mentioned earlier, the preceding results will differ from what you receive on your SQL Server.To decrypt the cipher text, you can use the DECRYPTBYCERT statement:

DECRYPTBYCERT (CERTIFICATE_ID, 'CIPHERTEXT', CERT_PASSWORD)

Here are the definitions of the arguments of this syntax:

CERTIFICATE_ID The ID of the certificate to be used for encryption.
CIPHERTEXT The string that was previously encrypted with the certificate public key.
CERT_PASSWORD The password that encrypts the certificate private key.

To execute the DECRYPTBYCERT statement, you will need the VIEW DEFINITION permission on the certificate.The following syntax uses the DECRYPTBYCERT statement to decrypt the cipher text and convert the results into the human readable varchar data type:

SELECT CAST (DECRYPTBYCERT(Cert_ID('Certificate01'),
0x50BCA9702D6999578923DAEC2B3EE96E69174429EBF54C392A532919679624097CD050110CEEF4DDB
3BF22656549268848C2F6E6BA70C0E543DFB411B654302AB9582A525DB835940FB76F9AAC501BBC5E3D
689FB0431BA7AF3C51A4DCDC5BCB7D101324E466A23447DF916E80D026E2A2E6D5A433E75804ADF8E9B
75BF0E097)
AS varchar)

Note that you should substitute the cipher text in the preceding statement with the cipher text that you obtained from the earlier ENCRYPTBYCERT statement. Here is what the results of running the preceding statement will look like:

certificate encryption test

When you no longer need a certificate, it can be removed from the database using the DROP CERTIFICATE statement:

DROP CERTIFICATE CERTIFICATE_NAME

In this statement, CERTIFICATE_NAME specifies the name of the certificate to be removed.
To execute the DROP CERTIFICATE statement, you will need the CONTROL permission on the certificate.The following syntax drops your previously created certificate.

DROP CERTIFICATE Certificate01

The following script outlines the certificate encryption process from end to end:

-- Demonstration of certiifcate encryption
-- Create Database
CREATE Database CertEncryptDemo
GO
USE CertEncryptDemo
--
-- Switch to database context
--
-- Create table for data to be encrypted
CREATE Table Customers(
FirstName varchar(30),
LastName varchar(30),
CreditCardNum varbinary(300))
--
-- Create Database Master Key
CREATE MASTER KEY ENCRYPTION BY PASSWORD = '5YtF4$aQ#W4d^W'
--
--** You should backup the Database Master Key immediately after creation! **
--
--Create certificate and use the databse master key to encrypt the private key
CREATE CERTIFICATE Certificate02
WITH SUBJECT = 'Test certificate for encryption',
START_DATE = '1/1/2007',
EXPIRY_DATE = '1/1/2012';
--
-- Populate table with data included encrypted credit card numbers
INSERT INTO Customers Values('Blake', 'Cabbage',
EncryptByCert(Cert_ID('Certificate02'), '342724356361631'))
INSERT INTO Customers Values('Colin', 'Edwareds',
EncryptByCert(Cert_ID('Certificate02'), '4516525615214110'))
INSERT INTO Customers Values('Anoson', 'Monroe',
EncryptByCert(Cert_ID('Certificate02'), '5582858885802510'))
Data Encryption • Chapter 8 241
--
--View the contents of the table
Select * from Customers
--
--View table data including the decrypted plain text credit card numbers
--
SELECT Firstname,LastName, CAST(DecryptByCert(Cert_ID('Certificate02'),
CreditCardNum) AS varchar) as 'CreditCardNum' from customers
--
--Clean-up demo
DROP CERTIFICATE Certificate02;
DROP MASTER KEY;
USE TEMPDB
DROP DATABASE CertEncryptDemo;
--END

EFS can be used to encrypt SQL Server 2005 data files and folders. EFS is supported on Windows 2000 and later operating systems with New Technology File Systems (NTFS) formatted drives. EFS uses a combination of symmetric and asymmetric methods to provide transparent SQL Server 2005 data encryption. On Windows 2003 Server and newer operating systems, EFS by default creates a random File Encryption Key, which is a 256-bit AES key to perform data encryption.The File Encryption Key is then itself encrypted with the user’s public key and stored within the encrypted file or folder.

To encrypt SQL Server 2005 data files and folders using EFS, follow these steps:

1. Stop the SQL Server service.
2. Log out and log in using the SQL Server service account credentials.
3. Right-click on the file or folder to be encrypted and select Properties | General Tab | Advanced.

4. Within the Advanced attributes window, select Encrypt contents to secure data.
5. Within the Advanced attributes window, press OK.
6. Within the Properties tab, press OK.
7. If you are encrypting a folder containing subfolders, you will be presented with another window asking if you would like to  encrypt them as well. Press OK.
8. EFS encrypted files and folder names should now appear in green within any Windows file explorer window.
9. Restart the SQL Server services.

If errors are generated, you may have encrypted the SQL Server data files using an account that is not linked to the SQL Server service account.You can decrypt the data folders by reversing the steps above and trying again. When encrypting individual database files, EFS first creates a plain text copy of the file to be encrypted, encrypts the target file, and then deletes the temporary file.This temporary file is not securely deleted and can be recovered using common data recovery tools. To prevent local file disclosure, you should use a secure data deletion tool to overwrite the areas of disk containing the temporary file. Alternatively, you can simply encrypt the parent folder that contains the database files to ensure any temporary files are also encrypted.

EFS encryption is beneficial if the database media is stolen or misplaced. When transferring EFS encrypted files over the network, Windows first decrypts the file and then transfers the plain text equivalent. Some administrators perform manual backups of database files prior to implementing changes on the database server. If this backup involves copying data files from one server to another, you will effectively be storing an unencrypted copy of your database on the destination server.

Encryption File System Contains Inherit Flaws

On Windows Server 2003, EFS uses a strong 256-bit AES key to encrypt data. Under most circumstances, this would be an effective method of encryption; however, this AES key is protected by the user’s public key, which is based on the user’s Windows login password. This ultimately reduces EFS protection to the strength of the user’s Windows password. There are publicly available tools that can successfully decrypt EFS encrypted data by exploiting this flaw. Because of this, EFS should not be used to encrypt sensitive database data.

Working with EFS Encrypted Data

EFS encryption is managed by the operating system, and seamlessly provides file and folder encryption to SQL Server 2005. All SQL Server functions and operations remain unchanged when using this encryption method. Because EFS is handled outside of SQL Server 2005, encryption keys must be backed up separately in addition to your database backups.

Databases often contain sensitive financial, healthcare, and corporate data. As mentioned earlier, data security breaches are occurring at an alarming rate and international legislations have been passed, which set regulations on how organizations must protect this sensitive data. The Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA), Gramm-Leach-Bliley Act (GLBA), and the UK Data Protection Act are just a few of these regulations. Several regulations require that sensitive data be encrypted and that organization’s must identify and report data disclosure or misuse. If these regulations are not followed, organizations can face serious repercussions, ranging from financial penalties to imprisonment of responsible parties. Depending on the nature of your business, the above regulations may not apply, but before you discount the need to encrypt data

consider that sensitive information can also include corporate information including confidential HR data, trade secrets, patents, designs, or client listings, which, if disclosed to unauthorized individuals, could have a grave impact on your organization. At this point you may be wondering,“why not just encrypt all data using a secure algorithm?” instead of determining specifically what data elements require encryption.The answer is that there is a  significant performance impact when encrypting data, as SQL Server must perform authentication, encryption, and decryption functions seamlessly to encrypt and decrypt the data. In addition, there are several other side effects associated with data encryption, which we will touch on later in this chapter. For these reasons, you should use data encryption only when required and only on the required data elements.

Ways to encrypt data in MSSQL 2005:

EFS Encryption
Native SQL Server 2005 Encryption
Using Keys to Encrypt Data
Using Certificates to Encrypt Data
Using Pass Phrases to Encrypt Data
Working with Data Encrypted
Indexing Encrypted Data
Replicating Encrypted Data
Symmetric Key Usage Tracking
Replicating Encrypted Stored
Using Endpoint Encryption