MicrosoftDocs
diff --git a/‎docs/big-data-cluster/media/active-directory-deployment-aks/ad-in-aks-diagram.png‎
2.11 KB b/‎docs/big-data-cluster/media/active-directory-deployment-aks/ad-in-aks-diagram.png‎
2.11 KB
diff --git a/‎docs/connect/ado-net/sql/sqlclient-support-always-encrypted.md‎
Lines changed: 4 additions & 1 deletion b/‎docs/connect/ado-net/sql/sqlclient-support-always-encrypted.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/connect/jdbc/connecting-using-azure-active-directory-authentication.md‎
Lines changed: 50 additions & 52 deletions b/‎docs/connect/jdbc/connecting-using-azure-active-directory-authentication.md‎
Lines changed: 50 additions & 52 deletions
diff --git a/‎docs/connect/odbc/using-always-encrypted-with-the-odbc-driver.md‎
Lines changed: 4 additions & 1 deletion b/‎docs/connect/odbc/using-always-encrypted-with-the-odbc-driver.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/database-engine/availability-groups/windows/distributed-availability-groups.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/database-engine/availability-groups/windows/distributed-availability-groups.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/database-engine/availability-groups/windows/troubleshoot-always-on-availability-groups-configuration-sql-server.md‎
Lines changed: 101 additions & 13 deletions b/‎docs/database-engine/availability-groups/windows/troubleshoot-always-on-availability-groups-configuration-sql-server.md‎
Lines changed: 101 additions & 13 deletions
diff --git a/‎docs/database-engine/configure-windows/configure-the-max-degree-of-parallelism-server-configuration-option.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/database-engine/configure-windows/configure-the-max-degree-of-parallelism-server-configuration-option.md‎
Lines changed: 1 addition & 1 deletion
@@ -1,7 +1,7 @@
 ---
 title: "Using Always Encrypted with SqlClient"
 description: "Learn how to develop applications using Microsoft.Data.SqlClient and Always Encrypted to keep your data secure."
-ms.date: 03/03/2021
+ms.date: 05/19/2021
 ms.assetid: 
 ms.prod: sql
 ms.prod_service: connectivity
@@ -336,6 +336,9 @@ Azure Key Vault is a convenient option to store and manage column master keys fo
 
 Starting with **v2.0.0**, the `Microsoft.Data.SqLClient.AlwaysEncrypted.AzureKeyVaultProvider` supports the new Azure.Core and Azure.Identity APIs to perform authentication with Azure Key Vault. An instance of [`TokenCredential`](/dotnet/api/azure.core.tokencredential) implementation can now be passed to [`SqlColumnEncryptionAzureKeyVaultProvider`](/dotnet/api/microsoft.data.sqlclient.alwaysencrypted.azurekeyvaultprovider.sqlcolumnencryptionazurekeyvaultprovider) constructors to initialize Azure Key Vault provider object.
 
+> [!NOTE]
+> The `Microsoft.Data.SqLClient.AlwaysEncrypted.AzureKeyVaultProvider` supports both [Vaults and Managed HSMs in Azure Key Vault](/azure/key-vault/keys/about-keys).
+
 For examples demonstrating performing encryption/decryption with Azure Key Vault, see [Azure Key Vault working with Always Encrypted](azure-key-vault-example.md) and [Azure Key Vault working with Always Encrypted with secure enclaves](azure-key-vault-enclave-example.md).
 
 ### Implementing a custom column master key store provider
 
@@ -2,7 +2,7 @@
 title: Using Always Encrypted
 description: Learn how to develop ODBC applications using Always Encrypted and the Microsoft ODBC Driver for SQL Server.
 ms.custom: ""
-ms.date: 05/14/2021
+ms.date: 05/19/2021
 ms.prod: sql
 ms.technology: connectivity
 ms.topic: conceptual
@@ -507,6 +507,9 @@ No other ODBC application changes are required to use AKV for CMK storage.
 > [!NOTE]
 > The driver contains a list of AKV endpoints which it trusts. Starting with driver version 17.5.2, this list is configurable: set the `AKVTrustedEndpoints` property in the driver or DSN's ODBCINST.INI or ODBC.INI registry key (Windows) or `odbcinst.ini` or `odbc.ini` file section (Linux/macOS) to a semicolon-delimited list. Setting it in the DSN takes precedence over a setting in the driver. If the value begins with a semicolon, it extends the default list; otherwise, it replaces the default list. The default list (as of 17.5) is `vault.azure.net;vault.azure.cn;vault.usgovcloudapi.net;vault.microsoftazure.de`. Starting with 17.7, the list also includes `managedhsm.azure.net;managedhsm.azure.cn;managedhsm.usgovcloudapi.net;managedhsm.microsoftazure.de`.
 
+> [!NOTE]
+> The Azure Key Vault provider built in to the ODBC driver supports both [Vaults and Managed HSMs in Azure Key Vault](/azure/key-vault/keys/about-keys).
+
 ### Using the Windows Certificate Store provider
 
 The ODBC Driver for SQL Server on Windows includes a built-in column master key store provider for the Windows Certificate Store, named `MSSQL_CERTIFICATE_STORE`. (This provider isn't available on macOS or Linux.) With this provider, the CMK is stored locally on the client machine and no extra configuration by the application is necessary to use it with the driver. However, the application must have access to the certificate and its private key in the store. For more information, see [Create and Store Column Master Keys (Always Encrypted)](../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md).
 
@@ -130,7 +130,7 @@ Distributed availability groups can help you scale out a read-only farm more tha
 * You can use the primary replica of the second availability group in a distributed availability group to create another distributed availability group, even though the database is not in RECOVERY.
 * You can also use the primary replica of the first availability group to create another distributed availability group.
 
-In other words, a primary replica can participate in two different distributed availability groups. The following figure shows AG 1 and AG 2 both participating in Distributed AG 1, while AG 2 and AG 3 are participating in Distributed AG 2. The primary replica (or forwarder) of AG 2 is both a secondary replica for Distributed AG 1 and a primary replica of Distributed AG 2.
+In other words, a primary replica can participate in different distributed availability groups. The following figure shows AG 1 and AG 2 both participating in Distributed AG 1, while AG 2 and AG 3 are participating in Distributed AG 2. The primary replica (or forwarder) of AG 2 is both a secondary replica for Distributed AG 1 and a primary replica of Distributed AG 2.
 
 ![Scaling out reads with distributed availability groups](./media/distributed-availability-group/dag-05-scaling-out-reads-with-distributed-ags.png)
 
@@ -404,4 +404,4 @@ The below query displays information about the current state of seeding. This is
 
 * [Use the new availability group dialog box (SQL Server Management Studio)](use-the-new-availability-group-dialog-box-sql-server-management-studio.md)
 
-* [Create an availability group with Transact-SQL](create-an-availability-group-transact-sql.md)
+* [Create an availability group with Transact-SQL](create-an-availability-group-transact-sql.md)
@@ -126,9 +126,9 @@ ms.author: chadam
        ORDER BY Permission,grantor, grantee;   
     ```  
 
-6.  Ensure correct server name is used in the endpoint URL
+6. Ensure correct server name is used in the endpoint URL
 
-    For server name in an endpoint URL, it is recommended to use fully qualified domain name (FQDN), although you can use any name that uniquely identifies the machine. The server address can be a Netbios name (if the systems are in the same domain), a fully qualified domain name (FQDN), or an IP address (preferably, a static IP address). Using the fully qualified domain name is the recommended option. For more information, see Specify the Endpoint URL When Adding or Modifying an Availability Replica (SQL Server).
+    For server name in an endpoint URL, it is recommended to use fully qualified domain name (FQDN), although you can use any name that uniquely identifies the machine. The server address can be a Netbios name (if the systems are in the same domain), a fully qualified domain name (FQDN), or an IP address (preferably, a static IP address). Using the fully qualified domain name is the recommended option. 
 
     If you have already defined an Endpoint URL, you can query it by using:
 
@@ -166,7 +166,7 @@ ms.author: chadam
 - If connection works by ServerName and not by IP address, then there could be more than one endpoint defined on that server (another SQL instance perhaps) that is listening on that port. Though the status of the endpoint on the instance in question shows "STARTED" another instance may actually have the port binding and prevent the correct instance from listening and establishing TCP connections.
 - If Telnet fails to connect, look for Firewall and/or Anti-virus software that may be blocking the endpoint port in question. Check the firewall setting to see if it allows the endpoint port communication between the server instances that host primary replica and the secondary replica (port 5022 by default).
 Run the following PowerShell script to examine for disabled inbound traffic rules
-- If Telnet fails to connect, look for Firewall and/or antivirus software that may be blocking the endpoint port in question. If you are running SQL Server on Azure VM, additionally you would need to [ensure Network Security Group (NSG) allows the traffic to endpoint port](https://docs.microsoft.com/azure/virtual-machines/windows/nsg-quickstart-portal#create-an-inbound-security-rule). Check the firewall (and NSG, for Azure VM) setting to see if it allows the endpoint port communication between the server instances that host primary replica and the secondary replica (port 5022 by default)
+- If Telnet fails to connect, look for Firewall and/or antivirus software that may be blocking the endpoint port in question. If you are running [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] on Azure VM, additionally you would need to [ensure Network Security Group (NSG) allows the traffic to endpoint port](/azure/virtual-machines/windows/nsg-quickstart-portal#create-an-inbound-security-rule). Check the firewall (and NSG, for Azure VM) setting to see if it allows the endpoint port communication between the server instances that host primary replica and the secondary replica (port 5022 by default)
 
    ```powershell
    Get-NetFirewallRule -Action Block -Enabled True -Direction Inbound |Format-Table
@@ -195,20 +195,108 @@ Summary of steps is outlined below. For detailed step-by-step instructions, plea
 4. Ensure the endpoint is defined so it correctly matches the IP/port that AG is using.
 5. Check whether the network service account has CONNECT permission to the endpoint.
 6. Check for possible name resolution issues
-7. Ensure your SQL Server is running a recent build (preferably the [latest build](https://docs.microsoft.com/troubleshoot/sql/general/determine-version-edition-update-level#latest-updates-available-for-currently-supported-versions-of-sql-server) to protect from running into fixed issues.
+7. Ensure your [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] is running a recent build (preferably the [latest build](/troubleshoot/sql/general/determine-version-edition-update-level#latest-updates-available-for-currently-supported-versions-of-sql-server) to protect from running into fixed issues.
 
 ## <a name="ROR"></a> Read-Only Routing is Not Working Correctly  
 
- Verify the following configuration values settings and correct them if necessary.  
+1. Ensure that you have set up read-only routing by following [Configure read-only routing](../../availability-groups/windows/configure-read-only-routing-for-an-availability-group-sql-server.md) document.
+
+2. Ensure Client Driver Support
+
+    The client application must use a client providers that support `ApplicationIntent` parameter. See [Driver and client connectivity support for availability groups](always-on-client-connectivity-sql-server.md)
+
+   > [!NOTE]  
+   > If you are connecting to a distributed network name (DNN) Listener, the provider must also support `MultiSubnetFailover` parameter
+
+3. Ensure connection string properties are set correctly
+
+    For read-only routing to work properly, your client application must use these properties in the connection string:
   
-|On...|Action|Comments|Link|  
-|---------|------------|--------------|----------|  
-|Current primary replica|Ensure that the availability group listener is online.|**To verify whether the listener is online:**<br /><br /> `SELECT * FROM sys.dm_tcp_listener_states;`<br /><br /> **To restart an offline listener:**<br /><br /> `ALTER AVAILABILITY GROUP myAG RESTART LISTENER 'myAG_Listener';`|[sys.dm_tcp_listener_states &#40;Transact-SQL&#41;](../../../relational-databases/system-dynamic-management-views/sys-dm-tcp-listener-states-transact-sql.md)<br /><br /> [ALTER AVAILABILITY GROUP &#40;Transact-SQL&#41;](../../../t-sql/statements/alter-availability-group-transact-sql.md)|  
-|Current primary replica|Ensure that the READ_ONLY_ROUTING_LIST contains only server instances that are hosting a readable secondary replica.|**To identify readable secondary replicas:** sys.availability_replicas  (**secondary_role_allow_connections_desc** column)<br /><br /> **To view a read-only routing list:** sys.availability_read_only_routing_lists<br /><br /> **To change a read-only routing list:** ALTER AVAILABILITY GROUP|[sys.availability_replicas &#40;Transact-SQL&#41;](../../../relational-databases/system-catalog-views/sys-availability-replicas-transact-sql.md)<br /><br /> [sys.availability_read_only_routing_lists &#40;Transact-SQL&#41;](../../../relational-databases/system-catalog-views/sys-availability-read-only-routing-lists-transact-sql.md)<br /><br /> [ALTER AVAILABILITY GROUP &#40;Transact-SQL&#41;](../../../t-sql/statements/alter-availability-group-transact-sql.md)|  
-|Every replica in the read_only_routing_list|Ensure that the Windows firewall is not blocking the READ_ONLY_ROUTING_URL port.|-|[Configure a Windows Firewall for Database Engine Access](../../../database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access.md)|  
-|Every replica in the read_only_routing_list|In [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] Configuration Manager, verify that:<br /><br /> SQL Server remote connectivity is enabled.<br /><br /> TCP/IP is enabled.<br /><br /> The IP addresses are configured correctly.|-|[View or Change Server Properties &#40;SQL Server&#41;](../../../database-engine/configure-windows/view-or-change-server-properties-sql-server.md)<br /><br /> [Configure a Server to Listen on a Specific TCP Port &#40;SQL Server Configuration Manager&#41;](../../../database-engine/configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port.md)|  
-|Every replica in the read_only_routing_list|Ensure that the READ_ONLY_ROUTING_URL (TCP<strong>://</strong>*system-address*<strong>:</strong>*port*) contains the correct fully-qualified domain name (FQDN) and port number.|-|[Calculating read_only_routing_url for Always On](/archive/blogs/mattn/calculating-read_only_routing_url-for-alwayson)<br /><br /> [sys.availability_replicas &#40;Transact-SQL&#41;](../../../relational-databases/system-catalog-views/sys-availability-replicas-transact-sql.md)<br /><br /> [ALTER AVAILABILITY GROUP &#40;Transact-SQL&#41;](../../../t-sql/statements/alter-availability-group-transact-sql.md)|  
-|Client system|Verify that the client driver supports read-only routing.|-|[Always On Client Connectivity &#40;SQL Server&#41;](../../../database-engine/availability-groups/windows/always-on-client-connectivity-sql-server.md)|  
+   - A database name that belongs to the AG
+   - An availability group listener name
+      - If you are using DNN, you must specify DNN listener name and DNN port number `<DNN name,DNN port>`
+   - ApplicationIntent set to ReadOnly 
+   - MultiSubnetFailover set to true is required for Distributed network name (DNN)
+
+    ### Examples
+
+    This illustrates the connection string for .NET System.Data.SqlClient provider for a virtual network name (VNN) listener:
+
+   ```csharp
+   Server=tcp:VNN_AgListener,1433;Database=AgDb1;ApplicationIntent=ReadOnly;MultiSubnetFailover=True
+   ```
+
+   This illustrates the connection string for .NET System.Data.SqlClient provider for a distributed network name (DNN) listener:
+
+   ```csharp
+   Server=tcp:DNN_AgListener,DNN_Port;Database=AgDb1;ApplicationIntent=ReadOnly;MultiSubnetFailover=True
+   ```
+
+   > [!NOTE]  
+   > If you are using command line programs like SQLCMD, ensure that you specify the correct switches for server name. For instance, in SQLCMD you must use the upper case -S switch that specifies server name, not the lower case -s switch which is used for column separator.
+   > </br>Example: `sqlcmd -S AG_Listener,port -E -d AgDb1 -K ReadOnly -M`
+
+4. Ensure that the availability group listener is online. To ensure that the availability group listener is online run the following query on the primary replica: 
+
+    ```sql
+   SELECT * FROM sys.dm_tcp_listener_states;
+    ```
+
+   If you find the listener is offline you can attempt to bring it online using a command like this:
+
+   ```sql
+   ALTER AVAILABILITY GROUP myAG RESTART LISTENER 'AG_Listener';
+   ```
+
+5. Ensure READ_ONLY_ROUTING_LIST is correctly populated. On Primary replica, ensure that the READ_ONLY_ROUTING_LIST contains only server instances that are hosting readable secondary replicas.
+
+   To view the properties of each replica you can run this query and examine the connectivity endpoint (URL) of the read only replica.
+
+   ```sql
+   SELECT replica_id, replica_server_name, secondary_role_allow_connections_desc, read_only_routing_url 
+   FROM sys.availability_replicas;   
+   ```
+
+   To view a read-only routing list and compare to the endpoint URL:
+
+   ```sql
+   SELECT * FROM sys.availability_read_only_routing_lists;
+   ```
+
+   To change a read-only routing list you can use a query like this:
+
+   ```sql
+   ALTER AVAILABILITY GROUP [AG1]   
+   MODIFY REPLICA ON  
+   N'COMPUTER02' WITH   
+   (PRIMARY_ROLE (READ_ONLY_ROUTING_LIST=('COMPUTER01','COMPUTER02')));  
+   ```
+  
+   For more information see [Configure read-only routing for an availability group - SQL Server Always On](configure-read-only-routing-for-an-availability-group-sql-server.md)
+
+6. Check that READ_ONLY_ROUTING_URL port is open. Ensure that the Windows firewall is not blocking the READ_ONLY_ROUTING_URL port. Configure a Windows Firewall for database engine access on every replica in the read_only_routing_list and any for clients that will be connecting to those replicas.
+
+   >[!NOTE]
+   > If you are running [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] on Azure VM, you must take additional configuration steps. Ensure that the network security group (NSG) of each replica VM allows traffic to the endpoint port and the DNN port, if you are using DNN listener. If you are using VNN listener, you must ensure the [load balancer is configured correctly](/azure/azure-sql/virtual-machines/windows/availability-group-load-balancer-portal-configure).
+
+7. Ensure that the READ_ONLY_ROUTING_URL (TCP://system-address:port) contains the correct fully-qualified domain name (FQDN) and port number. See:  
+   - [Calculating read_only_routing_url for Always On](/archive/blogs/mattn/calculating-read_only_routing_url-for-alwayson) 
+   - [sys.availability_replicas (Transact-SQL)](../../../relational-databases/system-catalog-views/sys-availability-replicas-transact-sql.md)
+   - [ALTER AVAILABILITY GROUP (Transact-SQL)](../../../t-sql/statements/alter-availability-group-transact-sql.md) 
+
+8. Ensure proper SQL Server Networking configuration in the [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] Configuration Manager.
+
+   Verify on every replica in the read_only_routing_list that:
+   - [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] remote connectivity is enabled
+   - TCP/IP is enabled
+   - The IP addresses are configured correctly
+  
+    > [!NOTE]
+    > You can quickly verify all of these are properly configured if you can connect from a remote machine to a target secondary replica's [!INCLUDE[ssNoVersion](../../../includes/ssnoversion-md.md)] instance name using `TCP:SQL_Instance` syntax.
+
+  See: [Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)](../../configure-windows/configure-a-server-to-listen-on-a-specific-tcp-port.md) and [View or Change Server Properties (SQL Server)](../../configure-windows/view-or-change-server-properties-sql-server.md)
+
+
 
 ##  <a name="RelatedTasks"></a> Related Tasks  
 
 
@@ -24,7 +24,7 @@ ms.custom: contperf-fy20q4
 
 > [!NOTE]
 > [!INCLUDE [sssql19-md](../../includes/sssql19-md.md)] introduces automatic recommendations for setting the MAXDOP server configuration option during the installation process based on the number of processors available. The setup user interface allows you to either accept the recommended settings or enter your own value. For more information, see [Database Engine Configuration - MaxDOP page](../../sql-server/install/instance-configuration.md#maxdop).<BR>
-However, in Azure SQL, the default MAXDOP setting for each new single database and elastic pool database is 8. For more on MAXDOP in [!INCLUDE[ssSDSfull](../../includes/sssdsfull-md.md)], see [Configure the max degree of parallelism (MAXDOP) in Azure SQL Database](/azure/azure-sql/database/configure-max-degree-of-parallelism).
+However, in Azure SQL, the default MAXDOP setting for each **new** single database, elastic pool database and managed instance is 8. For more on MAXDOP in [!INCLUDE[ssSDSfull](../../includes/sssdsfull-md.md)], see [Configure the max degree of parallelism (MAXDOP) in Azure SQL Database](/azure/azure-sql/database/configure-max-degree-of-parallelism).
 
 ##  <a name="BeforeYouBegin"></a> Before You Begin