Create and log on to an SQL Server host with a host account - ApsaraDB RDS

ApsaraDB RDS for SQL Server supports host accounts. You can create a host account and use it to log on to the ApsaraDB RDS for SQL Server host to simplify database management and operations. By default, a host account password is valid for only 42 days. An expired password will cause logon failures. To prevent this, set a password policy in advance. The policy is automatically applied to the host account and does not require manual configuration.

Prerequisites

The RDS instance meets the following requirements:
- The RDS instance runs RDS Basic Edition, RDS High-availability Edition, or RDS Cluster Edition. If your RDS instance runs RDS High-availability Edition, make sure that the instance runs SQL Server 2012 or later.
- The RDS instance belongs to the general-purpose or dedicated instance family. The shared instance family is not supported.
- The RDS uses the subscription or pay-as-you-go billing method. Serverless instances are not supported.
- The RDS instance resides in a virtual private cloud (VPC). For more information about how to change the network type of an RDS instance, see Change the network type.
- The creation time of the RDS instance meets the following requirements:
  - If the RDS instance runs RDS High-availability Edition or RDS Cluster Edition, the instance is created on or after January 01, 2021.
  - If the RDS instance runs RDS Basic Edition, the instance is created on or after September 02, 2022.
  Note
  You can view the Creation Time parameter of an RDS instance in the Status section of the Basic Information page in the ApsaraDB RDS console.
An Alibaba Cloud account is used to log on to the RDS instance.

Precautions

Jushita does not support host accounts.
An RDS instance supports only one host account with System Admin permissions.

The host account name cannot be any of the following reserved keywords:

root|admin|eagleye|master|aurora|sysadmin|administrator|mssqld|public|securityadmin|serveradmin|setupadmin|processadmin|diskadmin|dbcreator|bulkadmin|tempdb|msdb|model|distribution|mssqlsystemresource|guest|add|except|percent|all|exec|plan|alter|execute|precision|and|exists|primary|any|exit|print|as|fetch|proc|asc|file|procedure|authorization|fillfactor|public|backup|for|raiserror|begin|foreign|read|between|freetext|readtext|break|freetexttable|reconfigure|browse|from|references|bulk|full|replication|by|function|restore|cascade|goto|restrict|case|grant|return|check|group|revoke|checkpoint|having|right|close|holdlock|rollback|clustered|identity|rowcount|coalesce|identity_insert|rowguidcol|collate|identitycol|rule|column|if|save|commit|in|schema|compute|index|select|constraint|inner|session_user|contains|insert|set|containstable|intersect|setuser|continue|into|shutdown|convert|is|some|create|join|statistics|cross|key|system_user|current|kill|table|current_date|left|textsize|current_time|like|then|current_timestamp|lineno|to|current_user|load|top|cursor|national|tran|database|nocheck|transaction|dbcc|nonclustered|trigger|deallocate|not|truncate|declare|null|tsequal|default|nullif|union|delete|of|unique|deny|off|update|desc|offsets|updatetext|disk|on|use|distinct|open|user|distributed|opendatasource|values|double|openquery|varying|drop|openrowset|view|dummy|openxml|waitfor|dump|option|when|else|or|where|end|order|while|errlvl|outer|with|escape|over|writetext||dbo|login|sys|drc_rds

When the instance is migrated across hosts, such as during a major version upgrade, minor engine version upgrade, major version upgrade when changing specifications, or zone migration, the host account and any programs or files deployed on the original host, such as SSIS, SSAS, and SSRS, are deleted. You must back up or migrate your data in advance.
Important
ApsaraDB RDS for SQL Server is based on the native Microsoft SQL Server kernel and focuses on providing stable and efficient managed database services. If your business requires features such as SSIS, SSAS, or SSRS, you need professional Operations and Maintenance (O&M) capabilities to ensure business continuity.

Impact on use

The host account has the highest permissions on the host. Operations performed by this account are beyond the control of ApsaraDB RDS for SQL Server. Therefore, any RDS for SQL Server instance for which a host account has been created is no longer covered by the SLA. You are responsible for the instance environment. However, this does not affect the normal use of the instance or its after-sales service. RDS for SQL Server instances that have never had a host account remain fully covered by the SLA.

Recommendations

The host account has extensive permissions that are beyond the control of ApsaraDB RDS for SQL Server. When you use this account, follow these recommendations:

Do not manage the rdscore database on an RDS instance that runs RDS High-availability Edition or RDS Cluster Edition.
Do not manage system accounts. For more information, see System accounts.
Do not perform physical backups on your on-premises device. If you perform physical backups on your on-premises device, the point-in-time recovery (PITR) of your RDS instance is affected. We recommend that you use the backup feature provided by ApsaraDB RDS. For more information, see Back up an ApsaraDB RDS for SQL Server instance.
Do not move the RDS instance that runs RDS High-availability Edition or RDS Cluster Edition or manage high-availability objects, such as the DROP AVAILABILITY GROUP operation.
Do not store data in drive C (system disk).
Do not modify the existing server-level triggers in the RDS instance, including [_$$_tr_$$_rds_alter_database], [_$$_tr_$$_rds_alter_login], [_$$_tr_$$_rds_create_database], [_$$_tr_$$_rds_create_login], [_$$_tr_$$_rds_drop_database], [_$$_tr_$$_rds_drop_login], and [_$$_tr_$$_rds_server_role].
Do not modify the core configurations of the RDS instance, such as the startup account and port.
Do not change the password of the Windows administrator.

Procedure

Step 1: Create a host account

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, click Accounts.

Click the Host Account tab, click Create Account, and then set the following parameters.

Parameter	Description
Host Account Name	Must consist of lowercase letters, digits, or underscores (_). It must start with a letter and end with a letter or digit. The name can be up to 16 characters long.
Account Type	Standard Account: Creates a standard host account. System Admin Account: Creates a host account with System Admin permissions. An RDS instance supports only one host account of this type. For more information about privileged accounts, see Database accounts with SA permissions.
New Password	Set the account password. The password must meet the following requirements: 8 to 32 characters in length. Contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Special characters are `!@#$%^&*()_+-=`.
Confirm Password	Enter the same password again to confirm it.
Remarks	Enter remarks. The remarks can be up to 256 characters long.

Select I Have Read And Agree To The Changes To The RDS Service Level Agreement For Creating A Host Account.
Click OK.
(Optional) Reset the password or delete the host account.
In the Actions column, click Reset Password or Delete to manage the account.

Step 2: Log on to the RDS SQL Server host with the host account

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the navigation pane on the left, click Accounts.
Click the Host Account tab. In the Actions column for the target account, click Remote Connection (Primary).
In the Remote Connection dialog box that appears, enter the host account password.
Click OK.
After you click OK, the system generates a WebShell logon URL and automatically logs you on to the host of the SQL Server instance. A new WebShell page opens in a pop-up window. Your browser may block the pop-up window. If this happens, configure your browser to allow pop-ups from this site. The page appears as follows:

FAQ

What do I do if the message `The specified host information does not exist.` appears when I try to remotely connect with an RDS host account?

A host account password is valid for only 42 days by default. An expired password will cause logon failures. In the Actions column for the host account, click Reset Password to set a new password, and then try to log on again.

Note

You can set a password expiration policy for the account to manage password validity and enhance data security. After you set the policy, it is automatically applied to the host account. No manual configuration is required.

How do I get the hostname and WebShell logon URL for an RDS SQL Server instance?

You can call the DescribeDBInstanceIpHostname operation to obtain the IpHostnameInfos (RDS instance hostname) and then call the DescribeHostWebShell operation to obtain the LoginUrl (host WebShell logon URL).