Tuesday, March 04, 2008
sp_Whoville
13:48 | 
Posted by
Sean McCown
This post is dedicated to all those field DBAs who like to call up the prod DBAs and tell them how busy the server is based on the number of spids or short-term blocks returned by sp_who(2).
See this is the hidden cost of generic logins that have too many rights. Everyone on the planet can read BOL and try to interpret the results. And whatever they mark in their heads as being the sign of a server being too busy is what they're going to call you with. Our users have 2 criteria for a busy server. The number of spids (active or inactive), and how many short-term blocks they see.
Of course I used to try to explain to them that you could bring the server down with a single spid so the number doesn't matter... and that blocks are fine as long as they don't persist. Since I've been here for quite a while though, and none of them have gotten the hint yet, I usually just thank them for letting us know and that we'll get right on it.
One of my favorite analogies used to be that judging the server on the amount of spids is like loading your car up with people and declaring that traffic is really bad today. Somehow that still didn't get the point across.
See this is the hidden cost of generic logins that have too many rights. Everyone on the planet can read BOL and try to interpret the results. And whatever they mark in their heads as being the sign of a server being too busy is what they're going to call you with. Our users have 2 criteria for a busy server. The number of spids (active or inactive), and how many short-term blocks they see.
Of course I used to try to explain to them that you could bring the server down with a single spid so the number doesn't matter... and that blocks are fine as long as they don't persist. Since I've been here for quite a while though, and none of them have gotten the hint yet, I usually just thank them for letting us know and that we'll get right on it.
One of my favorite analogies used to be that judging the server on the amount of spids is like loading your car up with people and declaring that traffic is really bad today. Somehow that still didn't get the point across.
Monday, March 03, 2008
Losing a DBA
It's almost never fun to lose a DBA, but it's a fact of life. People leave jobs, and sometimes jobs leave people. This is another reason why it's really important to not tax your DBAs too heavily. If you've got 2 DBAs and they're both working like dogs, what happens when you lose one? I'll tell you what happens... deadlines start to slip, backups start failing and don't get looked into, maint starts getting behind, security gets relaxed, etc. You want your DBA to have time to do his job and be able to pick up some slack when you lose someone. And it could be quite a while before you get a replacement. Good DBAs are really hard to find and you don't want someone to just warm the seat.
I talked about this recently in my IW blog. Of course, this really only goes for production DBAs, right? I mean, you can work your devs as much as you want. They'll never get a call in the middle of the night because the server's down or because a package failed. So again, DBAs are insurance policies. We're kinda like a clustered server. You don't use the inactive node. It just sits there waiting for something to happen to the primary node. It seems a terrible waste and managers hate spending that money for a box that just sits there. And while DBAs aren't quite that useless, we really should be used in the right way. So it really is just like a multi-node cluster. You never run the primaries at full capacity because one day something will happen and one box will have to take on its workload and one of the downed nodes. So if they're all running at 100%, they can't failover and resume work. So you run them at 50%... give or take, right?
So again, let your prod people do their prod jobs and don't put them on too many actual projects. Afterall, that's what prod means.
And yeah, we're losing our other DBA so I'm all alone now. We'll see how it turns out.
I talked about this recently in my IW blog. Of course, this really only goes for production DBAs, right? I mean, you can work your devs as much as you want. They'll never get a call in the middle of the night because the server's down or because a package failed. So again, DBAs are insurance policies. We're kinda like a clustered server. You don't use the inactive node. It just sits there waiting for something to happen to the primary node. It seems a terrible waste and managers hate spending that money for a box that just sits there. And while DBAs aren't quite that useless, we really should be used in the right way. So it really is just like a multi-node cluster. You never run the primaries at full capacity because one day something will happen and one box will have to take on its workload and one of the downed nodes. So if they're all running at 100%, they can't failover and resume work. So you run them at 50%... give or take, right?
So again, let your prod people do their prod jobs and don't put them on too many actual projects. Afterall, that's what prod means.
And yeah, we're losing our other DBA so I'm all alone now. We'll see how it turns out.
Friday, February 29, 2008
More thoughts on Admin Passwords
OK, I'm also changing this in the original post, but in case you don't think to go back and check.
When I sent my admin password solution to a buddy at MS, he tried it and it didn't work. After a fairly short discovery, I discovered that it worked for me because I had a drive mapped to the admin share on my DC. So PSExec was using that IPC to connect. So unless you're lucky enough to have something like that, you prob won't be able to use this solution. However, it's a good backdoor so it may be a good idea just to setup a mapped share on your box anyway just in case something happens and you get shut out of your DC.
On that note. This is a really excellent reason why you never want to run SQL under an admin acount and especially not under a domain admin acct. I've seen that more than I care to and it always comes out bad eventually. It only takes a very basic knowledge of SQL to discover that someone with regular user rights can setup a SQL job to promote their user acct to admin because the job will run under the context of the agent acct at the OS level. And if you're running your services under an admin acct they'll have full rights to do whatever they like. And if you're running it under a domain admin acct, then they can promote themselves to domain admin pretty easily by running a .vbs or prob even powershell. Pretty much any scripting language will prob do, huh...
And that goes for running SQL on a DC under local system. That's the same as domain admin as far as the DC is concerned. So be smart and run your SQL accts with non-admin accts and just remove that from the equation. There are enough ways for internal and external hackers to elevate rights. Don't help them.
When I sent my admin password solution to a buddy at MS, he tried it and it didn't work. After a fairly short discovery, I discovered that it worked for me because I had a drive mapped to the admin share on my DC. So PSExec was using that IPC to connect. So unless you're lucky enough to have something like that, you prob won't be able to use this solution. However, it's a good backdoor so it may be a good idea just to setup a mapped share on your box anyway just in case something happens and you get shut out of your DC.
On that note. This is a really excellent reason why you never want to run SQL under an admin acount and especially not under a domain admin acct. I've seen that more than I care to and it always comes out bad eventually. It only takes a very basic knowledge of SQL to discover that someone with regular user rights can setup a SQL job to promote their user acct to admin because the job will run under the context of the agent acct at the OS level. And if you're running your services under an admin acct they'll have full rights to do whatever they like. And if you're running it under a domain admin acct, then they can promote themselves to domain admin pretty easily by running a .vbs or prob even powershell. Pretty much any scripting language will prob do, huh...
And that goes for running SQL on a DC under local system. That's the same as domain admin as far as the DC is concerned. So be smart and run your SQL accts with non-admin accts and just remove that from the equation. There are enough ways for internal and external hackers to elevate rights. Don't help them.
Thursday, February 21, 2008
Reset Domain Admin Account
Last week I somehow forgot the domain admin acct in my lab. I tried for 3 days to remember it and I finally came to the realization that I just wasn't going to. So I started looking around on the web for different things I could do. I wasn't really in a hurry cause my domain was running just fine.
I found many methods for changing the local admin acct, but not many for changing the domain admin acct in a windows 2003 domain controller. I did find this method here.
Anyway, I checked with an SE friend of mine on the windows support team at MS and he said that was a good method and told me to run with that one. Not that I minded, but I just didn't want to bring down my DC and take the time to copy all that stuff to floppy, etc. So I kept looking.
I finally had an idea that I just had to share with everybody. It's so simple it's scary.
I used the SysInternals tool psexec.exe. What it does is run programs remotely on the box of your choosing. The problem of course, is that you have to make an admin connection to that box, and if you could do that, you wouldn't have to use psexec to reset the password. So I looked at the help file for psexec and found a parameter that just amazed me. -s is its name.
What that does is tells psexec to connect with the local system acct of the remote box. And since the local system acct has full admin rights, you have the rights you need to change the admin password.
So at a command prompt go to the dir where you have psexec and type the following command:
psexec.exe -s \\machinename cmd
That tells you to bring up a command shell on the remote box and log in as the machine's local system acct. So now you've got a shell open on your box just like you were standing in front of the console on the remote box. Now you just type the command for changing the admin password: net user administrator newpassword
That's it. It's simple, elegant, beautiful, and it really saved my ass.
I hope this helps someone else.
Just for grins, here's a Camtasia I made of the process just to make it even easier. Click here
UPDATE:
Here's an update to my original post. I sent this solution to a friend at MS and he found that it didn't work for him. After a little investigation, I discovered that it worked for me because I had the admin share on my DC mapped on my box and PSExec was using that IPC. You can read more about that here.
I found many methods for changing the local admin acct, but not many for changing the domain admin acct in a windows 2003 domain controller. I did find this method here.
Anyway, I checked with an SE friend of mine on the windows support team at MS and he said that was a good method and told me to run with that one. Not that I minded, but I just didn't want to bring down my DC and take the time to copy all that stuff to floppy, etc. So I kept looking.
I finally had an idea that I just had to share with everybody. It's so simple it's scary.
I used the SysInternals tool psexec.exe. What it does is run programs remotely on the box of your choosing. The problem of course, is that you have to make an admin connection to that box, and if you could do that, you wouldn't have to use psexec to reset the password. So I looked at the help file for psexec and found a parameter that just amazed me. -s is its name.
What that does is tells psexec to connect with the local system acct of the remote box. And since the local system acct has full admin rights, you have the rights you need to change the admin password.
So at a command prompt go to the dir where you have psexec and type the following command:
psexec.exe -s \\machinename cmd
That tells you to bring up a command shell on the remote box and log in as the machine's local system acct. So now you've got a shell open on your box just like you were standing in front of the console on the remote box. Now you just type the command for changing the admin password: net user administrator newpassword
That's it. It's simple, elegant, beautiful, and it really saved my ass.
I hope this helps someone else.
Just for grins, here's a Camtasia I made of the process just to make it even easier. Click here
UPDATE:
Here's an update to my original post. I sent this solution to a friend at MS and he found that it didn't work for him. After a little investigation, I discovered that it worked for me because I had the admin share on my DC mapped on my box and PSExec was using that IPC. You can read more about that here.
Wednesday, February 20, 2008
Good Times
Wow... I really don't get a chance to write in this blog very often because my company has been blocking the address. For some reason though, they just opened it up so I'll be writing here a lot more. So lookout, I'm back.
Subscribe to:
Posts (Atom)
About Me
- Sean McCown
- I am a Contributing Editor for InfoWorld Magazine, and a frequent contributor to SQLServerCentral.com as well as SSWUG.org. I live with my wife and 3 kids, and have practiced and taught Kenpo for 22yrs now.