Skip to main content

Posts

Showing posts from 2016

SQL Always Encrypted - Re-encrypting the database with a new Column Encryption key failed

In SQL 2016 and Azure SQL there is a new powerful feature - Always Encrypted  which allows to keep the encryption key outside of the database (for increased security). When dealing with encrypted data at rest we need to be able to change (rotate) the encryption key either on schedule or upon a request. Microsoft provides a example of a PowerShell script that re-encrypts the all data in a database with a new column encryption key. I used that example to create my own script. The first setback with the following cmdlet Set-SqlColumnEncryption -ColumnEncryptionSettings $ces -InputObject $database -UseOnlineApproach -MaxDowntimeInSeconds 120 -LogFileDirectory . was a syntax error  Set-SqlColumnEncryption : A parameter cannot be found that matches parameter name 'UseOnlineApproach'. It was easy to fix - I removed all the parameters except for ColumnEnxryptionSettings and InputObject. But then the same cmdlet failed at the execution time with this error. S...

Logging to Azure : Sequence contains no elements

When developing PowerShell scripts working with Azure it's very convenient to script the login part so you are not prompted each time you tweaked the script and re-run it. You archive this by creating a PSCredential object and passing to it your email and password (converted to a secure string first) as in a snippet below $email='your email' $pwd = 'your password' | ConvertTo-SecureString -AsPlainText -Force $cred = New-Object -TypeName System.Management.Automation.PSCredential  `  -ArgumentList $email, $Pwd Login-AzureRMAccount -credential $cred  This works fine with corporate email addresses but if you try to use your Live ID (Hotmail or Outlook) you get back this error Login-AzureRMAccount : Sequence contains no elements At line:8 char:1 + Login-AzureRMAccount -credential $cred + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + CategoryInfo          : CloseError: (:) [Add-AzureRmAccount], AadAuthenticationFaile...

Configuring Azure SQL database to use Key Vault for AlwaysEncrypted columns

Azure SQL v12 databases have the Always Encrypted feature with ability to store cryptographic materials in Azure Key Vault. In this Blog I'll show how to create a Key Vault and configure an Azure SQL database to use the Key Vault for Always Encrypted. The following are the requirements to succeed: Azure subscription with access to the Classic Azure Portal (CSP type subscription doesn't work at the time of the writing) an Azure SQL v12 database (you can create it from PowerShell but I have it already created) Resource Group (you can create it from PowerShell but I also have it already created) Step 1 - log into Azure using the Resource Model $cred = Get-Credential # sign in using the ARM model Login-AzureRmAccount -Credential $cred # Login-AzureRmAccount returns this details: # Environment           : <name> # Account               : <your email> # TenantId         ...

Joining Windows 10 to Azure AD Domain

As of October 2016 to join Windows 10 computers to Azure AD Domain service requires these steps: Create a VNET in the classic portal . The VNET must be placed to a region where Azure AD domain service is available (( https://azure.microsoft.com/en-us/regions/services/ )  In the classic portal  go to Directory -> Configure and enable the domain service. And wait for ~ 30 min When completed the IP address will be populated Go back to the VNET configuration and add a DNS server with the IP (10.0.0.4 in this case) Create the "AAD DC Administrator" administrators group (again in Directory -> Group). Members of this group are granted administrative privileges on machines that are domain-joined to the Azure AD Domain Services managed domain. Add to the group your users who are supposed to have the administrative access on a Windows 10 computer go to Settings -> Accounts (this is true for Windows 10 version  1607) then select 'Access...

How good Azure geo-replication is

Microsoft Azure offers the standard and active geo-replication capabilities for Azure SQL databases.  This feature implements a mechanism to provide database redundancy within the same Microsoft Azure region or in different regions (geo-redundancy). Active Geo-Replication asynchronously replicates committed transactions from a database to up to four copies of the database on different servers.  When Active Geo-Replication is configured a secondary database is created on the specified server. The original database becomes the primary database. The primary database asynchronously replicates committed transactions to each of the secondary databases. While at any given point, the secondary database might be slightly behind the primary database, the secondary data is guaranteed to always be transactionally consistent with changes committed to the primary database. When you place the secondary database on a server in a different region you add maximum resilience to your appl...