THIS TOPIC APPLIES TO: SQL Server (starting with 2016)Azure SQL DatabaseAzure SQL Data Warehouse Parallel Data Warehouse
This topic describes considerations for deploying Always On availability groups, including prerequisites, restrictions, and recommendations for host computers, Windows Server Failover Clustering (WSFC) clusters, server instances, and availability groups. For each of these components security considerations and required permissions, if any, are indicated.
Before you deploy Always On availability groups, we strongly recommend that you read every section of this topic.
Depending on the SQL Server 2016 components and features you will use with Always On availability groups, you may need to install additional .Net hotfixes identified in the following table. The hotfixes can be installed in any order.
|Reporting Services||Hotfix for .Net 3.5 SP1 adds support to SQL Client for Always On features of Read-intent, readonly, and multisubnetfailover. The hotfix needs to be installed on each Reporting Services report server.||KB 2654347: Hotfix for .Net 3.5 SP1 to add support for Always On features|
In This Section:
To support the Always On availability groups feature, ensure that every computer that is to participate in one or more availability groups meets the following fundamental requirements:
|Ensure that the system is not a domain controller.||Availability groups are not supported on domain controllers.|
|Ensure that each computer is running Windows Server 2012 or later versions.||Hardware and Software Requirements for Installing SQL Server 2016|
|Ensure that each computer is a node in a Windows Server Failover Clustering (WSFC) cluster.||Windows Server Failover Clustering (WSFC) with SQL Server|
|Ensure that the WSFC cluster contains sufficient nodes to support your availability group configurations.||A WSFC node can host only one availability replica for a given availability group. On a given WSFC node, one or more instances of SQL Server can host availability replicas for many availability groups.
Ask your database administrators how many WSFC nodes are required for to support the availability replicas of the planned availability groups.
Overview of Always On Availability Groups (SQL Server).
Also ensure that your environment is correctly configured for connecting to an availability group. For more information, see Always On Client Connectivity (SQL Server).
Comparable systems: For a given availability group, all the availability replicas should run on comparable systems that can handle identical workloads.
Dedicated network adapters: For best performance, use a dedicated network adapter (network interface card) for Always On availability groups.
Sufficient disk space: Every computer on which a server instance hosts an availability replica must possess sufficient disk space for all the databases in the availability group. Keep in mind that as primary databases grow, their corresponding secondary databases grow the same amount.
To administer a WSFC cluster, the user must be a system administrator on every cluster node.
For more information about the account for administering the cluster, see Appendix A: Failover Cluster Requirements.
|Set the HostRecordTTL value.||Change the HostRecordTTL (Using Windows PowerShell)|
Open PowerShell window via Run as Administrator.
Import the FailoverClusters module.
Use the Get-ClusterResource cmdlet to find the Network Name resource, then use Set-ClusterParameter cmdlet to set the HostRecordTTL value, as follows:
Get-ClusterResource “<NetworkResourceName>” | Set-ClusterParameter HostRecordTTL <TimeInSeconds>
The following PowerShell example sets the HostRecordTTL to 300 seconds for a Network Name resource named
SQL Network Name (SQL35).
Import-Module FailoverClusters $nameResource = "SQL Network Name (SQL35)" Get-ClusterResource $nameResource | Set-ClusterParameter ClusterParameter HostRecordTTL 300
Every time you open a new PowerShell window, you need to import the FailoverClusters module.
Related Content (PowerShell)
Clustering and High-Availability (Failover Clustering and Network Load Balancing Team Blog)
Each availability group requires a set of failover partners, known as availability replicas, which are hosted by instances of SQL Server. A given server instance can be a stand-alone instance or a SQL Serverfailover cluster instance (FCI).
In This Section:
|The host computer must be a Windows Server Failover Clustering (WSFC) node. The instances of SQL Server that host availability replicas for a given availability group reside on separate nodes of a single WSFC cluster. An availability group can temporarily straddle two clusters while being migrated to another WSFC cluster. SQL Server 2016 introduces distributed availability groups. In a distributed availability group two availability groups reside on different WSFC clusters.||Windows Server Failover Clustering (WSFC) with SQL Server
Failover Clustering and Always On Availability Groups (SQL Server)
Distributed Availability Groups (Always On Availability Groups)
|If you want an availability group to work with Kerberos:
All server instances that host an availability replica for the availability group must use the same SQL Server service account.
The domain administrator needs to manually register a Service Principal Name (SPN) with Active Directory on the SQL Server service account for the virtual network name (VNN) of the availability group listener. If the SPN is registered on an account other than the SQL Server service account, authentication will fail.
** Important *\* If you change the SQL Server service account, the domain administrator will need to manually re-register the SPN.
|Register a Service Principal Name for Kerberos Connections
Kerberos and SPNs enforce mutual authentication. The SPN maps to the Windows account that starts the SQL Server services. If the SPN is not registered correctly or if it fails, the Windows security layer cannot determine the account associated with the SPN, and Kerberos authentication cannot be used.
Note: NTLM does not have this requirement.
|If you plan to use a SQL Server failover cluster instance (FCI) to host an availability replica, ensure that you understand the FCI restrictions and that the FCI requirements are met.||Prerequisites and Requirements on Using a SQL Server Failover Cluster Instance (FCI) to Host an Availability Replica (later in this topic)|
|Each server instance must be running the Enterprise Edition of SQL Server 2016.||Editions and Supported Features for SQL Server 2016|
|All the server instances that host availability replicas for an availability group must use the same SQL Server collation.||Set or Change the Server Collation|
|Enable the Always On availability groups feature on each server instance that will host an availability replica for any availability group. On a given computer, you can enable as many server instances for Always On availability groups as your SQL Server installation supports.||Enable and Disable Always On Availability Groups (SQL Server)
** Important *\* If you delete and re-create a WSFC cluster, you must disable and re-enable the Always On availability groups feature on each server instance that was enabled for Always On availability groups on the original WSFC cluster.
|Each server instance requires a database mirroring endpoint. Note that this endpoint is shared by all the availability replicas and database mirroring partners and witnesses on the server instance.
If a server instance that you select to host an availability replica is running under a domain user account and does not yet have a database mirroring endpoint, the New Availability Group Wizard (or Add Replica to Availability Group Wizard) can create the endpoint and grant CONNECT permission to the server instance service account. However, if the SQL Server service is running as a built-in account, such as Local System, Local Service, or Network Service, or a nondomain account, you must use certificates for endpoint authentication, and the wizard will be unable to create a database mirroring endpoint on the server instance. In this case, we recommend that you create the database mirroring endpoints manually before you launch the wizard.
** Security Note *\* Transport security for Always On availability groups is the same as for database mirroring.
|The Database Mirroring Endpoint (SQL Server)
Transport Security for Database Mirroring and Always On Availability Groups (SQL Server)
|If any databases that use FILESTREAM will be added to an availability group, ensure that FILESTREAM is enabled on every server instance that will host an availability replica for the availability group.||Enable and Configure FILESTREAM|
|If any contained databases will be added to an availability group, ensure that the contained database authentication server option is set to 1 on every server instance that will host an availability replica for the availability group.||contained database authentication Server Configuration Option
Server Configuration Options (SQL Server)
Always On availability groups has the following requirements for worker threads:
On an idle instance of SQL Server, Always On availability groups uses 0 threads.
The maximum number of threads used by availability groups is the configured setting for the maximum number of server threads ('max worker threads') minus 40.
The availability replicas hosted on a given server instance share a single thread pool.
Threads are shared on an on-demand basis, as follows:
Typically, there are 3–10 shared threads, but this number can increase depending on the primary replica workload.
If a given thread is idle for a while, it is released back into the general SQL Server thread pool. Normally, an inactive thread is released after ~15 seconds of inactivity. However, depending on the last activity, an idle thread might be retained longer.
A SQL Server instance uses up to 100 threads for parallel redo for secondary replicas. Each database uses up to one-half of the total number of CPU cores, but not more than 16 threads per database. If the total number of required threads for a single instance exceeds 100, SQL Server uses a single redo thread for every remaining database. Redo threads are released after ~15 seconds of inactivity.
In addition, availability groups use unshared threads, as follows:
Each primary replica uses 1 Log Capture thread for each primary database. In addition, it uses 1 Log Send thread for each secondary database. Log send threads are released after ~15 seconds of inactivity.
A backup on a secondary replica holds a thread on the primary replica for the duration of the backup operation.
For more information, see Always On - HADRON Learning Series: Worker Pool Usage for HADRON Enabled Databases (a CSS SQL Server Engineers Blog).
|Creating the database mirroring endpoint||Requires CREATE ENDPOINT permission, or membership in the sysadmin fixed server role. Also requires CONTROL ON ENDPOINT permission. For more information, see GRANT Endpoint Permissions (Transact-SQL).|
|Enabling Always On availability groups||Requires membership in the Administrator group on the local computer and full control on the WSFC cluster.|
|Determining whether database mirroring endpoint exists||sys.database_mirroring_endpoints (Transact-SQL)|
|Creating the database mirroring endpoint (if it does not yet exist)||Create a Database Mirroring Endpoint for Windows Authentication (Transact-SQL)
Use Certificates for a Database Mirroring Endpoint (Transact-SQL)
Create a Database Mirroring Endpoint for Always On Availability Groups (SQL Server PowerShell)
|Enabling Availability Groups||Enable and Disable Always On Availability Groups (SQL Server)|
We strongly recommend that you use the same network links for communications between WSFC cluster members and communications between availability replicas. Using separate network links can cause unexpected behaviors if some of links fail (even intermittently).
For example, for an availability group to support automatic failover, the secondary replica that is the automatic-failover partner must be in the SYNCHRONIZED state. If the network link to this secondary replica fails (even intermittently), the replica enters the UNSYNCHRONIZED state and cannot begin to resynchronize until the link is restored. If the WSFC cluster requests an automatic failover while the secondary replica is unsynchronized, automatic failover will not occur.
For information about Always On availability groups support for client connectivity, see Always On Client Connectivity (SQL Server).
Prerequisites and Restrictions for Using a SQL Server Failover Cluster Instance (FCI) to Host an Availability Replica
In This Section:
Failover Cluster Instances supports Clustered Shared Volumes (CSV). For more information on CSV, see Understanding Cluster Shared Volumes in a Failover Cluster.
The cluster nodes of an FCI can host only one replica for a given availability group: If you add an availability replica on an FCI, the WSFC cluster nodes that are possible FCI owners cannot host another replica for the same availability group.
Furthermore, every other replica must be hosted by an instance of SQL Server 2016 that resides on a different WSFC node in the same WSFC cluster. The only exception is that while being migrated to another WSFC cluster, an availability group can temporarily straddle two clusters.
FCIs do not support automatic failover by availability groups: FCIs do not support automatic failover by availability groups, so any availability replica that is hosted by an FCI can be configured for manual failover only.
Changing FCI network name: If you need to change the network name of an FCI that hosts an availability replica, you will need to remove the replica from its availability group and then add the replica back into the availability group. You cannot remove the primary replica, so if you are renaming an FCI that is hosting the primary replica, you should fail over to a secondary replica and then remove the former primary replica and add it back. Note that renaming an FCI might alter the URL of its database mirroring endpoint. When you add the replica ensure that you specify the current endpoint URL.
|Ensure that each SQL Server failover cluster instance (FCI) possesses the required shared storage as per standard SQL Server failover cluster instance installation.|
|Installing a SQL Server Failover Cluster||Create a New SQL Server Failover Cluster (Setup)|
|In-place upgrade of your existing SQL Server Failover Cluster||Upgrade a SQL Server Failover Cluster Instance (Setup)|
|Maintaining your existing SQL Server Failover Cluster||Add or Remove Nodes in a SQL Server Failover Cluster (Setup)|
In This Section:
Availability replicas must be hosted by different nodes of one WSFC cluster: For a given availability group, availability replicas must be hosted by server instances running on different nodes of the same WSFC cluster. The only exception is that while being migrated to another WSFC cluster, an availability group can temporarily straddle two clusters.
Virtual machines on the same physical computer can each host an availability replica for the same availability group because each virtual machine acts as a separate computer.
Unique availability group name: Each availability group name must be unique on the WSFC cluster. The maximum length for an availability group name is 128 characters.
Availability replicas: Each availability group supports one primary replica and up to eight secondary replicas. All of the replicas can run under asynchronous-commit mode, or up to three of them can run under synchronous-commit mode (one primary replica with two synchronous secondary replicas).
Maximum number of availability groups and availability databases per computer: The actual number of databases and availability groups you can put on a computer (VM or physical) depends on the hardware and workload, but there is no enforced limit. Microsoft has extensively tested with 10 AGs and 100 DBs per physical machine. Signs of overloaded systems can include, but are not limited to, worker thread exhaustion, slow response times for availability group system views and DMVs, and/or stalled dispatcher system dumps. Please make sure to thoroughly test your environment with a production-like workload to ensure it can handle peak workload capacity within your application SLAs. When considering SLAs be sure to consider load under failure conditions as well as expected response times.
Do not use the Failover Cluster Manager to manipulate availability groups:
Do not change any availability group properties, such as the possible owners.
Do not use the Failover Cluster Manager to fail over availability groups. You must use Transact-SQL or SQL Server Management Studio.
When creating or reconfiguring an availability group configuration, ensure that you adhere to the following requirements.
|If you plan to use a SQL Server failover cluster instance (FCI) to host an availability replica, ensure that you understand the FCI restrictions and that the FCI requirements are met.||Prerequisites and Restrictions for Using a SQL Server Failover Cluster Instance (FCI) to Host an Availability Replica (earlier in this topic)|
Security is inherited from the Windows Server Failover Clustering (WSFC) cluster. WSFC provides two levels of user security at granularity of entire WSFC cluster APIs:
Always On availability groups needs full control, and enabling Always On availability groups on an instance of SQL Server gives it full control of the WSFC cluster (through Service SID).
You cannot directly add or remove security for a server instance in the WSFC Failover Cluster Manager. To manage WSFC security sessions, use the SQL Server Configuration Manager or the WMI equivalent from SQL Server.
Each instance of SQL Server must have permissions to access the registry, cluster, and soforth.
We recommend that you use encryption for connections between server instances that host Always On availability groups availability replicas.
Permissions (Availability Groups)
|Creating an availability group||Requires membership in the sysadmin fixed server role and either CREATE AVAILABILITY GROUP server permission, ALTER ANY AVAILABILITY GROUP permission, or CONTROL SERVER permission.|
|Altering an availability group||Requires ALTER AVAILABILITY GROUP permission on the availability group, CONTROL AVAILABILITY GROUP permission, ALTER ANY AVAILABILITY GROUP permission, or CONTROL SERVER permission.
In addition, joining a database to an availability group requires membership in the db_owner fixed database role.
|Dropping/deleting an availability group||Requires ALTER AVAILABILITY GROUP permission on the availability group, CONTROL AVAILABILITY GROUP permission, ALTER ANY AVAILABILITY GROUP permission, or CONTROL SERVER permission. To drop an availability group that is not hosted on the local replica location you need CONTROL SERVER permission or CONTROL permission on that Availability Group.|
|Creating an availability group||Use the Availability Group (New Availability Group Wizard)
Create an Availability Group (Transact-SQL)
Create an Availability Group (SQL Server PowerShell)
Specify the Endpoint URL When Adding or Modifying an Availability Replica (SQL Server)
|Modifying the number of availability replicas||Add a Secondary Replica to an Availability Group (SQL Server)
Join a Secondary Replica to an Availability Group (SQL Server)
Remove a Secondary Replica from an Availability Group (SQL Server)
|Creating an availability group listener||Create or Configure an Availability Group Listener (SQL Server)|
|Dropping an availability group||Remove an Availability Group (SQL Server)|
To be eligible to be added to an availability group, a database must meet the following prerequisites and restrictions.
In This Section:
To be eligible to be added to an availability group, a database must:
|Be a user database. System databases cannot belong to an availability group.|
|Reside on the instance of SQL Server where you create the availability group and be accessible to the server instance.|
|Be a read-write database. Read-only databases cannot be added to an availability group.||sys.databases (is_read_only = 0)|
|Be a multi-user database.||sys.databases (user_access = 0)|
|Not use AUTO_CLOSE.||sys.databases (is_auto_close_on = 0)|
|Use the full recovery model (also known as, full recovery mode).||sys.databases (recovery_model = 1)|
|Possess at least one full database backup.
Note: After setting a database to full recovery mode, a full backup is required to initiate the full-recovery log chain.
|Create a Full Database Backup (SQL Server)|
|Not belong to any existing availability group.||sys.databases (group_database_id = NULL)|
|Not be configured for database mirroring.||sys.database_mirroring (If the database does not participate in mirroring, all columns prefixed with "mirroring_" are NULL.)|
|Before adding a database that uses FILESTREAM to an availability group, ensure that FILESTREAM is enabled on every server instance that hosts or will host an availability replica for the availability group.||Enable and Configure FILESTREAM|
|Before adding a contained database to an availability group, ensure that the contained database authentication server option is set to 1 on every server instance that hosts or will host an availability replica for the availability group.||contained database authentication Server Configuration Option
Server Configuration Options (SQL Server)
Always On availability groups works with any supported database compatibility level.
If the file path (including the drive letter) of a secondary database differs from the path of the corresponding primary database, the following restrictions apply:
New Availability Group Wizard/ Add Database to Availability Group Wizard: The Full option is not supported (on theSelect Initial Data Synchronization Page page),
RESTORE WITH MOVE: To create the secondary databases, the database files must be RESTORED WITH MOVE on each instance of SQL Server that hosts a secondary replica.
Impact on add-file operations: A later add-file operation on the primary replica might fail on the secondary databases. This failure could cause the secondary databases to be suspended. This, in turn, causes the secondary replicas to enter the NOT SYNCHRONIZING state.
For information about responding to a failed ad-file operation, see Troubleshoot a Failed Add-File Operation (Always On Availability Groups).
You cannot drop a database that currently belongs to an availability group.
If you use transparent data encryption (TDE), the certificate or asymmetric key for creating and decrypting other keys must be the same on every server instance that hosts an availability replica for the availability group. For more information, see Move a TDE Protected Database to Another SQL Server.
Requires ALTER permission on the database.
|Preparing a secondary database (manually)||Manually Prepare a Secondary Database for an Availability Group (SQL Server)|
|Joining a secondary database to availability group (manually)||Join a Secondary Database to an Availability Group (SQL Server)|
|Modifying the number of availability databases||Add a Database to an Availability Group (SQL Server)
Remove a Secondary Database from an Availability Group (SQL Server)
Remove a Primary Database from an Availability Group (SQL Server)