aws rds监控慢sql

This article will cover advanced configurations for Windows Authentication in AWS RDS SQL Server.

本文将介绍AWS RDS SQL Server中Windows身份验证的高级配置。

介绍 (Introduction)

In this article, we will cover the following sections:

在本文中，我们将介绍以下部分：

• Create active directory users 创建活动目录用户
• Modify RDS instance to join domain membership 修改RDS实例以加入域成员身份
• Connect to SQL Server using Windows authentication 使用Windows身份验证连接到SQL Server
• Remove a domain membership from RDS Server 从RDS服务器删除域成员身份

You should go through the article Initial Windows Authentication configurations in AWS RDS SQL Server before going further in this article.

在继续本文之前，您应该先阅读AWS RDS SQL Server中的初始Windows身份验证配置文章。

RDS实例的Windows身份验证快速回顾 (A Quick Recap of Windows authentication for RDS instance)

Windows authentication is a preferred method to connect to the SQL Server instance. It provides you with the flexibility to manage user accounts, groups in an active directory. You can also set policies similar to changing the password after a period, use a complex password, account lockout policy.

Windows身份验证是连接到SQL Server实例的首选方法。 它为您提供了管理用户帐户，活动目录中的组的灵活性。 您还可以设置类似于在一段时间后更改密码的策略，使用复杂的密码帐户锁定策略。

We can use both SQL and Windows authentication in AWS RDS SQL Server similar to a native SQL Server instance. In the previous article, we covered the following topics regarding it.

我们可以在AWS RDS SQL Server中使用SQL和Windows身份验证，类似于本机SQL Server实例。 在上一篇文章中，我们涉及了以下主题。

• Create an AWS managed active directory [sqlshackdemo.com] using the AWS directory service. Its status should be active so that we can use it in subsequent resources of AWS such as EC2, RDS 使用AWS目录服务创建一个AWS托管活动目录[sqlshackdemo.com]。 它的状态应该是活动的，以便我们可以在AWS的后续资源中使用它，例如EC2，RDS
• Create an IAM role to manage directory service on your behalf 创建一个IAM角色来代表您管理目录服务
• We have created an AWS EC2 server with Windows operating system. We configured this EC2 with the active directory [sqlshackdemo.com] and logged in with the default [sqlshackdemo\admin] account 我们已经创建了具有Windows操作系统的AWS EC2服务器。 我们使用活动目录[sqlshackdemo.com]配置了该EC2，并使用默认的[sqlshackdemo \ admin]帐户登录。
• We have installed Microsoft Active directory administration tools on Windows Server 2019 operating system 我们已经在Windows Server 2019操作系统上安装了Microsoft Active Directory管理工具

在[sqlshackdemo.com]域中创建活动目录用户 (Create active directory users in the [sqlshackdemo.com] domain)

As you know, we use public DNS to take RDP of the EC2 instance. By default, EC2 does not get a static IP, and if we restart the server, it might change the IP address and public DNS. We can assign an elastic IP address (static), but it is out of scope for this article.

如您所知，我们使用公共DNS来获取EC2实例的RDP。 默认情况下，EC2不会获得静态IP，并且如果我们重新启动服务器，它可能会更改IP地址和公共DNS。 我们可以分配一个弹性IP地址（静态），但这超出了本文的范围。

We should not use the admin account for the EC2 account as it is having the administrative permission on the active directory and users can create, update, delete the records from the AD. To create a new user, go to Run and type DSA.MSC command inside EC2.

我们不应将admin帐户用于EC2帐户，因为它具有对活动目录的管理权限，并且用户可以从AD创建，更新和删除记录。 要创建新用户，请转到“运行” ， 然后在EC2中键入DSA.MSC命令。

It opens the following active directory users and computers snippet. You can see a root folder with the domain name we used in the directory service.

它将打开以下活动目录用户和计算机片段。 您可以看到一个包含我们在目录服务中使用的域名的根文件夹。

Expand the domain tree, and you get the following organizational units (OUs).

展开域树，您将获得以下组织单位（OU）。

• AWS delegated groups AWS委托组
• AWS Reserved AWS保留
• Built-in 内建
• Computers 电脑
• Domain controllers 域控制器
• ForeignSecurityPrincipals 外国安全负责人
• Managed Service accounts 托管服务帐户
• Sqlshackdemo Sqlshackdemo
• Users 用户数

You can go through this article to understand these organization groups.

您可以阅读本文以了解这些组织组。

We need to choose an organization group in which the new account should exist. Let’s select the [sqlshackdemo], and it has folders for Users and Computers.

我们需要选择一个新帐户应存在的组织组。 让我们选择[sqlshackdemo]，它具有用于用户和计算机的文件夹。

Right-click on Users folder and it gives you the option to create a User, Group, Computer, Organization Unit.

右键单击“用户”文件夹，它为您提供了创建用户，组，计算机，组织单位的选项。

It opens the following new user object form. Enter the first name, last name, user logon name for the new user as shown below.

它将打开以下新的用户对象表格。 输入新用户的名字，姓氏，用户登录名，如下所示。

Specify the user account passwords and properties as per your requirement

根据您的要求指定用户帐户密码和属性

Click Next, and it creates the user, as shown below.

单击“下一步”，它会创建用户，如下所示。

Now, in the next step, we need to add this user to the administrative group on the EC2 instance. Go to Server Manager and open Computer Management.

现在，在下一步中，我们需要将此用户添加到EC2实例上的管理组中。 转到服务器管理器，然后打开“ 计算机管理”。

In computer management, go to Local Users and Groups. Click on Groups, and here it sees an Administrators group.

在计算机管理中，转到“本地用户和组”。 单击组，然后在这里看到一个管理员组。

Open the Administrators group and add the user we created earlier. Click on Apply and Ok.

打开管理员组，然后添加我们之前创建的用户。 单击“应用”，然后单击“确定”。

Now, we should be able to RDP in the EC2 instance using this newly created user. Sign out the EC2 instance and login with a new user.

现在，我们应该能够使用此新创建的用户在EC2实例中进行RDP。 注销EC2实例并使用新用户登录。

It connects to EC2 using the new user. We can verify it logged in the user as shown below.

它使用新用户连接到EC2。 我们可以验证它是否已登录到用户，如下所示。

安装SSMS或Azure Data Studio与RDS连接 (Install SSMS or Azure Data Studio to connect with RDS)

We require SQL Server client tools such as SSMS or Azure Data Studio in the EC2 server. You can use your preferred client tool. I will not cover the installation of these tools. It is very straightforward. You can download the latest version of these tools using the following links.

我们需要EC2服务器中SQL Server客户端工具，例如SSMS或Azure Data Studio。 您可以使用首选的客户端工具。 我不会介绍这些工具的安装。 这很简单。 您可以使用以下链接下载这些工具的最新版本。

• SQL Server Management Studio 18.5 SQL Server Management Studio 18.5
• Azure Data Studio Azure Data Studio

在RDS实例中添加活动目录域 (Add active directory domain in the RDS instance)

To use Windows authentication with the RDS instance, we need to join the AD account in the RDS instance. For this purpose, RDS should be in available status.

要将Windows身份验证与RDS实例一起使用，我们需要在RDS实例中加入AD帐户。 为此，RDS应该处于可用状态。

You can use the article AWS RDS SQL Server – Launching a new database instance to launch a new RDS SQL instance.

您可以使用文章AWS RDS SQL Server –启动新的数据库实例来启动新的RDS SQL实例。

I have the following RDS instance with SQL Server Express edition for my demo purpose.

我有以下RDS实例和SQL Server Express版，用于演示。

To modify the RDS instance, click on Modify. In the Microsoft SQL Server Windows Authentication, choose the AD directory from the drop-down as shown below.

要修改RDS实例，请单击“修改”。 在Microsoft SQL Server Windows身份验证中，从下拉菜单中选择AD目录，如下所示。

Click on Continue. On the next page, we can schedule the modification option. We can either apply during the next scheduled maintenance window or apply it immediately.

单击继续。 在下一页上，我们可以安排修改选项。 我们可以在下一个计划的维护时段内申请，也可以立即申请。

Let’s apply the change immediately and Modify DB instances. It will restart the RDS instance and might take a few minutes to get active.

让我们立即应用更改并修改数据库实例。 它将重新启动RDS实例，并且可能需要几分钟的时间才能激活。

It shows status as Modifying while RDS applies changes for Active directory.

当RDS为Active Directory应用更改时，它的状态显示为正在修改。

You can see the following status in the RDS instance related to the domain.

您可以在与域相关的RDS实例中看到以下状态。

• Joining: It shows that the RDS instance is joining the domain Joining ：表明RDS实例正在加入域
• Joined: Once an instance completed joining an active directory domain, its status changes to Joined 已加入 ：实例完成加入活动目录域后，其状态将变为已加入
• Pending-join: If the instance membership to a domain is pending, you get this status Pending-join：如果某个域的实例成员身份处于挂起状态，则显示此状态
• Pending-maintenance-join: Once we apply a domain for RDS instance, we have the option to apply changes immediately or wait for the scheduled maintenance window. In this article, we joined immediately to a domain, but if you select other option, you get status as Pending -maintenance-join：将域应用于RDS实例后，我们可以选择立即应用更改或等待计划的维护时段。 在本文中，我们立即加入了一个域，但是，如果您选择其他选项，您将获得状态为“ pending-maintenance-join 待处理-维护-加入”
• Failed: if there are any configurations related issues, it might prevent RDS to join a domain. You should investigate and review configurations in case status is failed 失败：如果存在任何与配置相关的问题，则可能会阻止RDS加入域。 如果状态失败，则应调查并检查配置
• Pending-removal: We can remove membership of an RDS instance from a domain. If the removal of instance is pending, you get this status 待删除：我们可以从域中删除RDS实例的成员资格。 如果实例删除正在等待中，您将获得此状态
• Pending-maintenance-removal: Similar to the pending-maintenance-join, you can schedule the removal of RDS from a domain in the next scheduled maintenance window. This status gives you information about pending removal due to the maintenance schedule 待维护的删除：与待维护的连接类似，您可以在下一个计划的维护窗口中计划从域中删除RDS。 此状态为您提供有关由于维护计划而导致待定删除的信息
• Removing: You get this message while AWS is removing the domain membership from the RDS 删除：当AWS从RDS删除域成员身份时，您会收到此消息

In the following screenshot, we see the status as Joined in the connectivity & Security page.

在以下屏幕截图中，我们在“连接和安全性”页面中看到的状态为“已加入”。

Once the instance is available again, launch Azure Data Studio or SSMS to connect with the RDS instance. We require endpoint for the RDS instance that you can get it from the instance property page.

实例再次可用后，启动Azure Data Studio或SSMS与RDS实例连接。 我们需要RDS实例的端点，您可以从实例属性页面获取它。

It connects to AWS instance using the Windows authentication. You can see the connected instance and the server dashboard. By default, we get the user database rdsadmin in the RDS instance.

它使用Windows身份验证连接到AWS实例。 您可以看到连接的实例和服务器仪表板。 默认情况下，我们在RDS实例中获取用户数据库rdsadmin 。

We can use the SYSTEM_USER() function to return the current logged in user in RDS instance. Execute the following query in ADS.

我们可以使用SYSTEM_USER（）函数返回RDS实例中的当前登录用户。 在ADS中执行以下查询。

DECLARE @sys_usr char(30);
SET @sys_usr = SYSTEM_USER;
SELECT 'The current system user is: '+ @sys_usr;
GO

We can verify that it is connected with the domain user [sqlshackdemo\rajendra.gupta]

我们可以验证它是否与域用户[sqlshackdemo \ rajendra.gupta]连接。

You can add more active directory domain users in the AWS RDS SQL Server instance using the CREATE LOGIN AND CREATE USER commands. In the following queries, we create a Windows domain user [sqlshack\testsql]. It also assigns [db_datareader],[db_datawriter] and [db_ddladmin] permission in the [mssqldemo] database.

您可以使用CREATE LOGIN AND CREATE USER命令在AWS RDS SQL Server实例中添加更多活动目录域用户。 在以下查询中，我们创建Windows域用户[sqlshack \ testsql]。 它还在[mssqldemo]数据库中分配[db_datareader]，[db_datawriter]和[db_ddladmin]权限。

CREATE LOGIN [sqlshack\testsql] FROM WINDOWS WITH DEFAULT_DATABASE = [master],
DEFAULT_LANGUAGE = [us_english];
USE [mssqldemo]
GO
CREATE USER [sqlshackdemo\testsql] FOR LOGIN [sqlshackdemo\testsql]
GO
USE [mssqldemo]
GO
ALTER ROLE [db_datareader] ADD MEMBER [sqlshackdemo\testsql]
GO
USE [mssqldemo]
GO
ALTER ROLE [db_datawriter] ADD MEMBER [sqlshackdemo\testsql]
GO
USE [mssqldemo]
GO
ALTER ROLE [db_ddladmin] ADD MEMBER [sqlshackdemo\testsql]
GO

从AWS RDS SQL Server移除域成员身份 (Remove a domain membership from an AWS RDS SQL Server)

Suppose you need to remove the domain membership from an AWS RDS SQL Server. You can also change the active directory to another domain using this option. First, remove the membership from an existing directory and join it with another domain. We have already covered the process to join a domain in the RDS instance in the previous section. Let’s explore the process to remove the domain membership from an AWS RDS SQL Server.

假设您需要从AWS RDS SQL Server中删除域成员身份。 您也可以使用此选项将活动目录更改为另一个域。 首先，从现有目录中删除成员资格，然后将其加入另一个域。 在上一节中，我们已经介绍了在RDS实例中加入域的过程。 让我们探讨从AWS RDS SQL Server删除域成员身份的过程。

In the RDS dashboard of AWS web console, modify the instance and choose None for the directory. It is located in the Microsoft SQL Server Windows Authentication, as shown below.

在AWS Web Console的RDS仪表板中，修改实例并为目录选择None 。 它位于Microsoft SQL Server Windows身份验证中，如下所示。

Click Next and select the option to schedule the modification. It is a demo instance for me, so we are ok to apply changes immediately.

单击下一步，然后选择选项以安排修改。 对我来说，这是一个演示实例，因此可以立即应用更改。

Click on Modify DB instance. It starts applying the changes. We can see the status pending-removal because it is preparing an instance to remove the domain membership.

单击修改数据库实例。 它开始应用更改。 我们可以看到状态为待定移除，因为它正在准备实例以删除域成员身份。

Refresh the dashboard after some time, and you see it is now removing the domain membership for AWS RDS SQL Server.

一段时间后刷新仪表板，您会看到它现在正在删除AWS RDS SQL Server的域成员身份。

Once it successfully removes the domain from AWS RDS SQL Server, you cannot see the column Directory status from the RDS dashboard.

成功从AWS RDS SQL Server删除域后，您将无法从RDS仪表板中看到“ 目录状态 ”列。

结论 (Conclusion)

In this article, we explored steps to add a domain membership for an AWS RDS SQL Server along with the process to remove the domain membership. We also created a user in Active directory and accessed the SQL database using Windows authentication. It is always recommended to use Windows authentication. In case you do not have an active directory, you can use AWS managed active directory service as we saw in this article.

在本文中，我们探讨了为AWS RDS SQL Server添加域成员资格的步骤以及删除域成员资格的过程。 我们还在Active Directory中创建了一个用户，并使用Windows身份验证访问了SQL数据库。 始终建议使用Windows身份验证。 如果您没有活动目录，则可以使用我们在本文中看到的AWS托管活动目录服务。

翻译自: https://www.sqlshack.com/advanced-windows-authentication-configurations-in-aws-rds-sql-server/

aws rds监控慢sql