SQLServer 鏡像認證更換經驗總結（認證到期替換）SQL Server 鏡像認證到期處理

最後更新：2018-12-05 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

之前有寫過一篇：SQL Server 鏡像認證到期處理這是之前為替換認證做的測試準備，介紹了如何替換到期的鏡像認證。而這篇文章則是對昨天的工作中進行了大量伺服器的認證替換的時候碰到了一些問題，這裡進行分析和總結。

下面是在生產中操作的使用指令碼：

--指令碼1
select name, expiry_date from sys.certificates where issuer_name not like 'MS_%'
go
declare @sql varchar(max)
set @sql = ''
select top 1 @sql = @sql + 'use master' + CHAR(10) + 
+'alter database '+(select top 1 name from sys.databases where database_id > 4)+' set partner suspend' + CHAR(10) +
+'create certificate '+name+'_new with subject = ''mirror'',start_date=''2012-01-01'', expiry_date=''2099-06-01'';' + CHAR(10) +
+'alter endpoint endpoint_mirroring' + CHAR(10) +
+'for database_mirroring (authentication = certificate '+name+'_new)' + CHAR(10) +
+'drop certificate '+name+'' + CHAR(10) +
+'backup certificate '+name+'_new to file = ''d:\certificate\'+name+'_new.cer'';' + CHAR(10) +
+'/*****************************************************/' + CHAR(10)
from sys.certificates
where issuer_name not like 'MS_%' and pvt_key_encryption_type = 'MK'
print(@sql)
--exec(@sql)
go
select name, expiry_date from sys.certificates where issuer_name not like 'MS_%'
select database_id, mirroring_state_desc from sys.database_mirroring

--指令碼2
select name, expiry_date from sys.certificates where issuer_name not like 'MS_%'
select database_id, mirroring_state_desc from sys.database_mirroring where mirroring_state_desc is not null
go
declare @sql varchar(max)
set @sql = ''
select top 1 @sql = @sql
+'create certificate '+a.name+'_new AUTHORIZATION '+b.name+' from file = ''D:\certificate\'+a.name+'_new.cer'';' + CHAR(10) +
+'drop certificate '+a.name + CHAR(10) +
+'WAITFOR DELAY ''00:00:05''' + CHAR(10) +
+'alter database '+(select top 1 name from sys.databases where database_id > 4)+' set partner resume' + CHAR(10) +
+'/*****************************************************/' + CHAR(10)
from sys.certificates a
inner join sys.database_principals b on b.principal_id = a.principal_id
where issuer_name not like 'MS_%' and pvt_key_encryption_type = 'NA'
print (@sql)
--exec(@sql)
go
select name, expiry_date from sys.certificates where issuer_name not like 'MS_%'
select database_id, mirroring_state_desc from sys.database_mirroring where mirroring_state_desc is not null

這個指令碼可以同在主機和鏡像機器上跑，但是對於alter database語句的話只允許在一台機器上執行。其中有兩個@sql變數的定義，說明這段指令碼是分成兩次跑的。exec語句被我注釋掉防止誤操作。鏡像機的print指令碼結果如下：

use master
alter database DNMembership set partner suspend
create certificate wha999m_new_new with subject = 'mirror',start_date='2012-01-01', expiry_date='2099-06-01';
alter endpoint endpoint_mirroring
for database_mirroring (authentication = certificate wha999m_new_new)
drop certificate wha999m_new
backup certificate wha999m_new_new to file = 'd:\certificate\wha999m_new_new.cer';
/*****************************************************/

create certificate wha999_new_new AUTHORIZATION wha999_user from file = 'D:\certificate\wha999_new_new.cer';
drop certificate wha999_new
WAITFOR DELAY '00:00:05'
alter database DNMembership set partner resume
/*****************************************************/

詳細的操作步驟：

在鏡像機上執行第一段指令碼：暫停資料庫鏡像、建立新認證、修改鏡像端點、刪除鏡像機老認證、備份認證（用於主機還原）
在主機上執行所有指令碼：前半部分操作同上，後半部分進行鏡像機認證的還原
在鏡像機上執行第二段指令碼：還原主機的認證、刪除主機老認證、等待5秒有還原資料庫鏡像（比較進行幾秒鐘的等待否則資料庫鏡像恢複會報錯）

註：操作刪除認證和修改端點前一定要把鏡像暫停否則有可能導致鏡像失效上述操作才特殊情況下可能碰到的問題：　　在新認證建立後就立即把老認證刪除掉，如果在這個過程中出現認證丟失或者操作錯誤導致重複跑了兩次指令碼的情況下會很悲劇。所以建議可以在鏡像重新恢複後確定沒有問題再進行老認證的刪除。

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More