Tag Archives: TDE

Standard

Posted by

Posted on

July 25, 2024

Posted under

Core

Comments

Leave a comment

Comprehensive Guide to Monitoring SQL Server: Optimizing Max Server Memory

Monitoring a SQL Server database is essential to maintain its performance, stability, and overall health. One crucial aspect of SQL Server configuration is setting the max server memory value appropriately. This blog provides an in-depth look at how to monitor SQL Server and how to determine the best value for the max server memory setting, using various tools and methods.

🔍 Key Tools and Techniques for Monitoring SQL Server

Effective monitoring of a SQL Server environment involves multiple tools and techniques, each offering unique insights.

1. SQL Server Management Studio (SSMS)

SSMS provides built-in features for monitoring SQL Server:

  • Activity Monitor: A real-time interface that displays CPU usage, I/O statistics, recent expensive queries, and more.
  • Performance Dashboard Reports: Pre-defined reports that provide details on CPU, memory, and I/O usage.
2. Dynamic Management Views (DMVs)

DMVs allow querying internal SQL Server metrics:

  • sys.dm_os_performance_counters: Retrieves various performance counters, including memory usage.
  • sys.dm_exec_query_stats: Provides statistics on query performance.
  • sys.dm_os_sys_memory: Displays the amount of memory in use and available.
3. Extended Events

Extended Events provide a lightweight, flexible way to collect data on SQL Server events:

  • Configure sessions to capture specific data points, such as long-running queries or memory usage spikes.
4. SQL Server Profiler & Trace

Although deprecated, SQL Server Profiler can still be used for tracing events and diagnosing issues.

5. Performance Monitor (PerfMon)

PerfMon is a Windows utility that provides detailed insights into system and SQL Server performance. It allows tracking various counters, essential for understanding SQL Server’s memory usage.

📈 Key Performance Monitor (PerfMon) Counters for SQL Server

Using PerfMon, you can monitor several critical counters that provide insight into SQL Server’s memory management and overall performance:

  1. Memory: Available MBytes
    • What it measures: The amount of physical memory available on the system.
    • Why it matters: Helps determine if the system has enough memory to support both SQL Server and other applications.
  2. SQLServer: Memory Manager – Total Server Memory (KB)
    • What it measures: The total amount of dynamic memory the SQL Server is using.
    • Why it matters: Indicates how much memory SQL Server is consuming and helps in understanding if the configured memory is adequate.
  3. SQLServer: Memory Manager – Target Server Memory (KB)
    • What it measures: The ideal amount of memory SQL Server aims to use.
    • Why it matters: Helps in determining if SQL Server is using less memory than needed, which could lead to performance issues.
  4. SQLServer: Buffer Manager – Buffer Cache Hit Ratio
    • What it measures: The percentage of pages found in the buffer cache without requiring a read from disk.
    • Why it matters: A high buffer cache hit ratio generally indicates that the SQL Server has sufficient memory allocated for caching.
  5. SQLServer: Buffer Manager – Page Life Expectancy
    • What it measures: The number of seconds a page will stay in the buffer cache.
    • Why it matters: A lower value indicates that pages are being flushed out too quickly, which may suggest the need for more memory.

🧮 Calculating the Optimal Max Server Memory Setting

To determine the optimal max server memory setting, consider the following steps:

1. Identify Total Physical Memory

Determine the total physical memory available on your server. For example, if your server has 64 GB of RAM, this is your baseline.

2. Reserve Memory for the OS and Other Applications

It’s crucial to leave enough memory for the OS and other applications. A common practice is to reserve around 20% of the total memory for the OS. For example, with 64 GB of RAM, you might reserve 12-16 GB for the OS, leaving 48-52 GB for SQL Server.

3. Use PerfMon Data to Fine-Tune

Using PerfMon, monitor the following:

  • Memory: Available MBytes: Ensure that this value does not drop too low, indicating a lack of available memory.
  • SQLServer: Memory Manager – Total Server Memory (KB) and Target Server Memory (KB): If Total Server Memory consistently meets or exceeds Target Server Memory, it may indicate a need for more memory.
  • SQLServer: Buffer Manager – Buffer Cache Hit Ratio: Aim for a ratio above 90%.
  • SQLServer: Buffer Manager – Page Life Expectancy: Aim for a value greater than 300 seconds.
4. Adjust Max Server Memory

After analyzing the data, adjust the max server memory setting using the following SQL command:

EXEC sp_configure 'max server memory', 49152; -- Example: Set to 48 GB
RECONFIGURE;
5. Regular Review and Adjustment

Regularly review your settings, especially after significant workload changes. As workloads evolve, memory requirements may change, necessitating adjustments to the max server memory setting.

🚀 Conclusion

Effective monitoring and optimal memory configuration are key to maintaining SQL Server performance. By leveraging tools like SSMS, DMVs, Extended Events, and PerfMon, you can gain valuable insights into your SQL Server’s memory usage and overall performance. Setting the correct max server memory is crucial to ensure your SQL Server runs efficiently without starving the OS or other applications of necessary resources.

For more detailed tutorials and insights, be sure to check out our YouTube channel, JBSWiki YouTube channel, where we cover SQL Server and Azure SQL topics in depth.

Thank You,
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.

Standard

Posted by

Posted on

July 10, 2019

Posted under

Encryption

Comments

1 Comment

Remove Transparent Data Encryption (TDE)

-> I had a request to remove TDE on a SQL Server Instance.

-> Execute below query and check what databases are encrypted on the SQL Server instance,

select DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0' THEN 'No database encryption key present, no encryption'
WHEN '1' THEN 'Unencrypted'
WHEN '2' THEN 'Encryption in progress'
WHEN '3' THEN 'Encrypted'
WHEN '4' THEN 'Key change in progress'
WHEN '5' THEN 'Decryption in progress'
WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database is encrypting the database encryption key is being changed.)'
ELSE 'No Status'
END,
percent_complete,encryptor_thumbprint,encryptor_type
from sys.dm_database_encryption_keys
0.Cert_List.PNG

-> From the above screenshot, it is clear that database JB_DB and JBS_DB are encrypted with different certificate. Database JBS_App_DB is encrypted with a different certificate. Check the “encryptor_thumbprint” for the difference.

-> Execute below query to find the name of the certificates,

select DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0' THEN 'No database encryption key present, no encryption'
WHEN '1' THEN 'Unencrypted'
WHEN '2' THEN 'Encryption in progress'
WHEN '3' THEN 'Encrypted'
WHEN '4' THEN 'Key change in progress'
WHEN '5' THEN 'Decryption in progress'
WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database is encrypting the database encryption key is being changed.)'
ELSE 'No Status'
END,
percent_complete,b.name as Certificate, encryptor_thumbprint,encryptor_type
from sys.dm_database_encryption_keys a INNER JOIN sys.certificates b ON a.encryptor_thumbprint=b.thumbprint
0_1.Cert_List.PNG

-> Checking the certificates from SSMS,

0_2.Cert_List_SSMS.PNG
-> Before removing TDE, I made a backup of the certificate using below TSQL,

USE master;
GO
BACKUP CERTIFICATE JBS_TDE_Certificate
TO FILE = 'C:\temp\JBS_TDE_Certificate.cer'
WITH PRIVATE KEY (file='C:\temp\JBS_TDE_Certificate.pvk',
ENCRYPTION BY PASSWORD='Pa$$w0rd');

BACKUP CERTIFICATE JBS_PROD_Certificate
TO FILE = 'C:\temp\JBS_PROD_Certificate.cer'
WITH PRIVATE KEY (file='C:\temp\JBS_PROD_Certificate.pvk',
ENCRYPTION BY PASSWORD='Pa$$w0rd');

Removing TDE the wrong way

-> I tried removing the master key using below Tsql,

use master
go
DROP MASTER KEY

-> Received below error,

1.Error_master_key
Msg 15580, Level 16, State 1, Line 3
Cannot drop master key because certificate ‘JB_TDE_Certificate’ is encrypted by it.

-> It seems like JBS_TDE_Certificate should be dropped before removing the master key. Lets try removing the certificate JBS_TDE_Certificate using below Tsql,

USE [master]
GO
DROP CERTIFICATE [JBS_TDE_Certificate]
GO

-> Received below error,

3.Drop_cert_error.PNG
Msg 3716, Level 16, State 15, Line 3
The certificate ‘JBS_TDE_Certificate’ cannot be dropped because it is bound to one or more database encryption key.

-> You will receive a similar error when you try removing certificate JBS_PROD_Certificate.

Removing TDE the Right way

-> Execute below query to disable TDE on the affected databases,

USE master;
GO
ALTER DATABASE [JB_DB] SET ENCRYPTION OFF;
GO
ALTER DATABASE [JBS_App_DB] SET ENCRYPTION OFF;
GO
ALTER DATABASE [JBS_DB] SET ENCRYPTION OFF;
GO

-> Execute below query and make sure encryption_state_desc is set to “Unencrypted” for all User databases,

select DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0' THEN 'No database encryption key present, no encryption'
WHEN '1' THEN 'Unencrypted'
WHEN '2' THEN 'Encryption in progress'
WHEN '3' THEN 'Encrypted'
WHEN '4' THEN 'Key change in progress'
WHEN '5' THEN 'Decryption in progress'
WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database is encrypting the database encryption key is being changed.)'
ELSE 'No Status'
END,
percent_complete, encryptor_thumbprint,encryptor_type
from sys.dm_database_encryption_keys
4.Decrypt.PNG

-> Execute below query to remove the encryption key,

USE [JB_DB];
GO
DROP DATABASE ENCRYPTION KEY;
GO

USE [JBS_App_DB];
GO
DROP DATABASE ENCRYPTION KEY;
GO

USE [JBS_DB];
GO
DROP DATABASE ENCRYPTION KEY;
GO

-> Execute below query again and see if there are any user databases encrypted,

select DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0' THEN 'No database encryption key present, no encryption'
WHEN '1' THEN 'Unencrypted'
WHEN '2' THEN 'Encryption in progress'
WHEN '3' THEN 'Encrypted'
WHEN '4' THEN 'Key change in progress'
WHEN '5' THEN 'Decryption in progress'
WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database is encrypting the database encryption key is being changed.)'
ELSE 'No Status'
END,
percent_complete, encryptor_thumbprint,encryptor_type
from sys.dm_database_encryption_keys
5.Only_Temdb.PNG

-> Drop certificates using below query,

USE [master]
GO
DROP CERTIFICATE [JB_TDE_Certificate]
GO
DROP CERTIFICATE [JBS_PROD_Certificate]
GO

-> Drop master key using below query,

use master
go
DROP MASTER KEY

-> Execute below query again and see if there are any databases encrypted,

select DB_NAME(database_id) AS DatabaseName, encryption_state,
encryption_state_desc =
CASE encryption_state
WHEN '0' THEN 'No database encryption key present, no encryption'
WHEN '1' THEN 'Unencrypted'
WHEN '2' THEN 'Encryption in progress'
WHEN '3' THEN 'Encrypted'
WHEN '4' THEN 'Key change in progress'
WHEN '5' THEN 'Decryption in progress'
WHEN '6' THEN 'Protection change in progress (The certificate or asymmetric key that is encrypting the database is encrypting the database encryption key is being changed.)'
ELSE 'No Status'
END,
percent_complete, encryptor_thumbprint,encryptor_type
from sys.dm_database_encryption_keys
5.Only_Temdb

-> Tempdb is still there. Lets restart the SQL services and allow Tempdb to be recreated. Executing above query after restart will show no databases including Tempdb.

Thank You,
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.

Standard

Posted by

Posted on

July 10, 2019

Posted under

Encryption

Comments

Leave a comment

Restoring a Transparent Data Encryption (TDE) Enabled User Database on a SQL Server Instance with a different master key

-> I had to restore a database on a development server using a backup from a Production Server.

-> When I tried restoring the backup I got the below error,

1.Restore_Error.PNG
TITLE: Microsoft SQL Server Management Studio
——————————
Restore of database ‘JBS_App_DB’ failed. (Microsoft.SqlServer.Management.RelationalEngineTasks)
——————————
ADDITIONAL INFORMATION:
System.Data.SqlClient.SqlError: Cannot find server certificate with thumbprint ‘0xAA2EBEFF26F6DC56959BF42BFAFF09ABC6F12D39’. (Microsoft.SqlServer.SmoExtended)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=14.0.17289.0+((SSMS_Rel_17_4).181117-0805)&LinkId=20476
——————————
BUTTONS:
OK
——————————

-> It seems like the user database from where the backup was performed is TDE enabled .

-> We should backup the Certificate and Private key from SQL Server Instance where this backup was performed using below,

USE master;
GO
BACKUP CERTIFICATE JBS_PROD_Certificate
TO FILE = 'C:\temp\JBS_PROD_Certificate.cer'
WITH PRIVATE KEY (file='C:\temp\JBS_PROD_Certificate.pvk',
ENCRYPTION BY PASSWORD='Pa$$w0rd');

-> The created Certificate should be added to the SQL Server Instance where we are performing the restore.

-> Executing below TSQL to create the master key on Instance where the backup should be restored,

USE master;
GO
CREATE MASTER KEY ENCRYPTION
BY PASSWORD='Pa$$w0rd';
GO

-> Executing above Tsql produces below error,

2.Master_Key_Error.PNG
Msg 15578, Level 16, State 1, Line 1
There is already a master key in the database. Please drop it before performing this statement.

-> It seems like the SQL Server instance already has a master key created.

-> Lets just create the certificate using below,

CREATE CERTIFICATE JBS_PROD_Certificate
FROM FILE='C:\temp\JBS_PROD_Certificate.cer'
WITH PRIVATE KEY (
FILE = 'C:\temp\JBS_PROD_Certificate.pvk',
DECRYPTION BY PASSWORD='Pa$$w0rd')

-> Try restoring the database and it works without any issue.

Thank You,
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.