Moving the MSDI database to a new Microsoft SQL Server instance
When Connector for Microsoft Dynamics (version 3.x) is installed a database master key is created (for encryption of passwords saved with adapter settings) using a random password. The downside of using a random password is the owner of the database will be unable to back up the master key allowing the key to be restored to a different Microsoft SQL Server. In order to restore the MSDI database to a different Microsoft SQL Server instance you will need to drop and add all the database security objects necessary to encrypt passwords on the new instance of the MSDI database. This will cause all password data in the adapters to be lost and need to be reentered before integrations can be run successfully after the move. The steps needed to move the MSDI database to a different Microsoft SQL Server are as follows:
- Backup the MSDI database on the Microsoft SQL Server where it currently resides
- Restore the MSDI database to the new Microsoft SQL Server instance
- If the new Microsoft SQL Server instance is on a different domain than the original Microsoft SQL Server, it may be necessary to set the DB Owner
- This allows you to drop and add the security objects
- Drop the ConnectorServiceSymmetricKey
- Drop the ConnectorServiceCertificate
- Drop the database master key from MSDI
- Create a new database master key
- The password must meet Windows policy for length and complexity
- Make note of this password so next time the master key can be restored to a new Microsoft SQL Server instance instead of being recreated
- Recreate ConnectorServiceCertificate
- Recreate ConnectorServiceSymmetricKey
- Grant Service account access to new Certificate and key
Below is the SQLCMD script necessary to complete all of the steps listed above. In order to run this in Microsoft SQL Server Management Studio you will need to use SQLCMD mode, which is found by clicking the Query menu and selecting SQLCMD Mode. If the database owner needs to be changed, uncomment the currently commented out lines of the script below.
:setvar NewDBOLogin "DOMAIN\username"
:setvar ServiceLogin "DOMAIN\username"
:setvar DatabaseMasterKey "your master key password"
--PRINT N'Change DBOwner to $(NewDBOLogin)...'
--EXEC SP_ChangeDbOwner '$(NewDBOLogin)'
PRINT N'Drop ConnectorServiceSymmetricKey...'
DROP SYMMETRIC KEY ConnectorServiceSymmetricKey
PRINT N'Drop ConnectorServiceCertificate...'
DROP CERTIFICATE ConnectorServiceCertificate
PRINT N'Drop MSDI Master Key...'
DROP MASTER KEY
PRINT N'Creating Master Key...'
CREATE MASTER KEY ENCRYPTION BY PASSWORD= N'$(DatabaseMasterKey)'
PRINT N'Creating [ConnectorServiceCertificate]...'
CREATE CERTIFICATE [ConnectorServiceCertificate]
WITH SUBJECT = N'Certificate for symmetric key encryption - for use by the connector service.';
PRINT N'Creating [ConnectorServiceSymmetricKey]...'
CREATE SYMMETRIC KEY [ConnectorServiceSymmetricKey]
WITH ALGORITHM = AES_256
ENCRYPTION BY CERTIFICATE [ConnectorServiceCertificate]
GRANT VIEW DEFINITION ON SYMMETRIC KEY::ConnectorServiceSymmetricKey TO [$(ServiceLogin)]
GRANT CONTROL ON CERTIFICATE::ConnectorServiceCertificate TO [$(ServiceLogin)]
The following two statements will remove any previously encrypted passwords from the database. Doing this will keep the service from logging errors in the event viewer while you update the passwords in the client
UPDATE Connector.Adapter SET Settings.modify('declare namespace x="http://www.microsoft.com/2009/Dynamics/Integration"; replace value of (/SettingsCollection/x:ArrayOfSettingsValue/x:SettingsValue[x:Attributes="Password"]/x:Value/text()) with ""')
GO UPDATE Connector.MapCategoryAdapterSettings SET Settings.modify('declare namespace x="http://www.microsoft.com/2009/Dynamics/Integration"; replace value of (/SettingsCollection/x:ArrayOfSettingsValue/x:SettingsValue[x:Attributes="Password"]/x:Value/text()) with ""')