How to provide ‘db_dataread’ database role to a SQL login when the database is in AlwaysOn & secondary node DB is in readonly mode?
To provide ‘db_dataread’ database role to a SQL login when the database is in AlwaysOn & secondary node DB is in READONLY mode we have to apply a trick. In Active-Passive AlwaysOn primary node/replica will be active and secondary node/replica will be in READONLY mode. In this scenario, we can create a login on the primary node/replica but could not create a user on the READONLY mode database in secondary.
When we need to provide access to users on a secondary node/replica database, we need to create the Login with the same SID as in primary node/replica and provide access on the primary server which can replicate the same to secondary.
Creating a login on the primary node
Create a new login on the primary node/replica, then create a new user for the login & then provide ‘db_dataread’ database role to the login. Use below TSQL script or same can be done with GUI SSMS also.
-- 1. Create new Login on primary server GO CREATE LOGIN [login02] WITH PASSWORD=N'Welcome@12345' GO -- 2. Create new User for Login02 USE [DB_01] GO CREATE USER [login02] FOR LOGIN [login02] GO -- 3. Providing db_datareader role to Login02 USE [DB_01] GO ALTER ROLE [db_datareader] ADD MEMBER [login02] GO
Create ‘sp_help_revlogin’ on the primary node by using the Microsoft script. to transfer the logins and passwords between different instances of Microsoft SQL Server stored procedure ‘sp_help_revlogin’ will be used. Please follow the URL for the guidance – https://support.microsoft.com/en-us/kb/918992
On primary node/replica, start SQL Server Management Studio, and then connect to the instance of SQL Server from which you moved the database. Open a new Query Editor window, and then run the above-mentioned script. This script creates two stored procedures in the master database. The procedures are named sp_hexadecimal and sp_help_revlogin.
Run the following statement in the same or a new query window to execute ‘sp_help_revlogin’
The output script that the sp_help_revlogin stored procedure generates is the login script. This login script creates the logins that have the original Security Identifier (SID) and the original password.
Create the login on secondary node/replica
logon to the destination server (Secondary node). On Secondary node, start SQL Server Management Studio, and then connect to the instance of SQL Server to which you need to create the login. Copy the individual script for that particular login which was generated by ‘sp_help_revlogin’ stored procedure. Here we will use ‘Login02’ script.
-- Login: login02 CREATE LOGIN [login02] WITH PASSWORD = 0x02006DE19D81E5BB3C8124A624705FAE15FB4A4AACD1BB02AD56531D4B77013EC4277E4BF025BF43F865FB5CBEC25DE440DF386CDE3C46B755022186A1FF5189BFD941DBD5CE HASHED, SID = 0x342240D57FD2D04CAAADB31570601150, DEFAULT_DATABASE = [master], CHECK_POLICY = ON, CHECK_EXPIRATION = OFF
Open a new Query Editor window, and then run the above script. Below messages will display if the login successfully created.
Check both SID on both logins
To check both SID on both primary & secondary node/replica we may use below script.
select name, sid from syslogins
Below is the screenshot of the primary node
Below is the screenshot of the secondary node
So, both the SID are the same, as we required.
As per our requirement, we may delete primary login & user if required. Secondary login will work !!
Idea Source: http://j.gs/DFpt