It is not uncommon for a DBA, or other IT staff, to set up AlwaysOn in a SQL environment and later leave the company. We ran into this recently with a client and were asked to delete the previous employee’s login from everything SQL related. We were able to remove the login from all databases and server roles, however we were not able to delete the login because it was the owner of an endpoint.
When creating an Always On Availability Group, you have the option of using the wizard or you can create it using T-SQL statements. The wizard is very intuitive and easy to use and with the exception of a few settings you can specify, default configurations are deployed using this method. One of the default configurations is the endpoint owner. Whoever creates the Availability Group is, by default, the owner of the endpoint.
This is generally not a problem…unless that person leaves the company and you need to delete the login! You will get an error message that says:
“The server principal owns one or more endpoint(s) and cannot be dropped (Microsoft SQL Server, Error: 15141)”.
To check and see who the owner of your endpoints are, run this statement:
USE master GO SELECT e.name as EndpointName, sp.name AS EndpointOwner, et.PayloadType, e.state_desc FROM sys.endpoints e INNER JOIN sys.server_principals sp ON e.principal_id = sp.principal_id RIGHT OUTER JOIN ( VALUES ( 2, 'TSQL'), ( 3, 'SERVICE_BROKER'), ( 4, 'DATABASE_MIRRORING') ) AS et ( typeid, PayloadType ) ON et.typeid = e.type
The AlwaysOn endpoint will have the name Hadr_endpoint and will have a DATABASE_MIRRORING payload type as shown below.
If your AlwaysOn AG group has already been created and there is a domain login as the owner, you can change the ownership to sa. Run the following statement to make the change:
USE master GO ALTER AUTHORIZATION ON ENDPOINT::Hadr_endpoint TO sa
This will allow you to delete any login who might have owned the endpoint if its ever necessary.
If you are creating an AlwaysOn Availablitiy Group and want to use T-SQL statements instead of the wizard, you have the ability to specify the endpoint owner. For complete instructions on how to set up the AlwaysOn group with TSQL click here:https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/create-an-availability-group-transact-sql
In order to create the endpoint with a specific user, run the following statement:
CREATE ENDPOINT endpoint_mirroring AUTHORIZATION <loginname> STATE = STARTED AS TCP (LISTENER_PORT = 5022) FOR DATABASE_MIRRORING ( AUTHENTICATION = WINDOWS KERBEROS, ENCRYPTION = SUPPORTED, ROLE=ALL); GO
In the statement above, if AUTHORIZATION is not specified with a SQL or Windows login, the caller will become the owner of the newly created endpoint. To use AUTHORIZATION and assign ownership to a login, the caller must have IMPERSONATE permission on the specified login.
Endpoints are a fundamental piece of SQL that allows a connection or point of entry into your SQL Server. Knowing who owns these endpoints and how to change the owner will potentially save you some headaches down the road in the event of IT staffing changes in your organization.