Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
SQL Server Developer Center
Click to Rate and Give Feedback
MSDN
MSDN Library
SQL Server
SQL Server 2008
Database Engine
Operations
High Availability
Database Mirroring
 Automatic Failover

  Switch on low bandwidth view
Community Content
In this section
Statistics Annotations (0)
Other versions are also available for the following:
SQL Server 2008 Books Online (June 2009)
Automatic Failover

Automatic failover is supported only in database mirroring sessions running with a witness in high-safety mode (high-safety mode with automatic failover). In high-safety mode with automatic failover, once the database is synchronized, if the principal database becomes unavailable, an automatic failover occurs. An automatic failover causes the mirror server to take over the role of principal server and bring its copy of the database online as the principal database. Requiring that the database be synchronized prevents data loss during failover, because every transaction committed on the principal database is also committed on the mirror database.

For automatic failover to improve reliability, the mirror and principal databases must reside on different computers.

Automatic failover requires the following conditions:

  • The database mirroring session must be running in high-safety mode and must possess a witness. For more information, see Synchronous Database Mirroring (High-Safety Mode).
  • The mirror database must already be synchronized. This guarantees that all of the log sent to the mirror server has been written to disk.
  • The principal server has lost communication with the rest of the database mirroring configuration, while the mirror and witness retain quorum. If all server instances lose communication, however, and the witness and the mirror server later regain communication, automatic failover does not occur.
    ms189590.note(en-us,SQL.100).gifNote:
    For more information, see Quorum: How a Witness Affects Database Availability.

  • The mirror server has detected the loss of the principal server.
    How the mirror server detects a failure of the principal server depends on whether it is a hard or soft failure. For more information, see Possible Failures During Database Mirroring.

Under the preceding conditions, automatic failover initiates the following sequence of actions:

  1. If the principal server is still running, it changes the state of the principal database to DISCONNECTED and disconnects all clients from the principal database.
  2. The witness and mirror servers register that the principal server is unavailable.
  3. If any log is waiting in the redo queue, the mirror server finishes rolling forward the mirror database.
    ms189590.note(en-us,SQL.100).gifNote:
    The amount of time required to apply the log depends on the speed of the system, the recent work load, and the amount of log in the redo queue.

  4. The former mirror database moves online as the new principal database, and recovery cleans up all uncommitted transactions by rolling them back as quickly as possible. Locks isolate those transactions.
  5. When the former principal server rejoins the session, it recognizes that its failover partner now owns the principal role. The former principal server takes on the role of mirror, making its database the mirror database. The new mirror server synchronizes the new mirror database with the principal database as quickly as possible. As soon as the new mirror server has resynchronized the databases, failover is again possible, but in the reverse direction.

The following illustration shows a single instance of automatic failover.

Automatic failover

Initially, all three servers are connected (the session has full quorum). Partner_A is the principal server and Partner_B is the mirror server. Partner_A (or the principal database on Partner_A) becomes unavailable. The witness and Partner_B both recognize that the principal is no longer available the session retains quorum. Partner_B becomes the principal server and makes its copy of the database available as the new principal database. Eventually, Partner_A reconnects to the session and discovers that Partner_B now owns the principal role. Partner_A then takes on the mirror role.

After failover, clients must reconnect to the current principal database. For more information, see Connecting Clients to a Mirrored Database.

ms189590.note(en-us,SQL.100).gifNote:
Transactions that have been prepared using the Microsoft Distributed Transaction Coordinator but are still not committed when a failover occurs, are considered aborted after the database has failed over.

To disable automatic failover, open the Database Properties Mirroring page, and change the operating mode by selecting one of the following options:

To change the operating mode

At any point in a database mirroring session, the database owner can disable automatic failover by turning off the witness.

To turn off the witness

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Page view tracker