functions/Copy-DbaLinkedServer.ps1

function Copy-DbaLinkedServer {
    <#
        .SYNOPSIS
            Copy-DbaLinkedServer migrates Linked Servers from one SQL Server to another. Linked Server logins and passwords are migrated as well.
 
        .DESCRIPTION
            By using password decryption techniques provided by Antti Rantasaari (NetSPI, 2014), this script migrates SQL Server Linked Servers from one server to another, while maintaining username and password.
 
            Credit: https://blog.netspi.com/decrypting-mssql-database-link-server-passwords/
            License: BSD 3-Clause http://opensource.org/licenses/BSD-3-Clause
 
        .PARAMETER Source
            Source SQL Server (2005 and above). You must have sysadmin access to both SQL Server and Windows.
 
        .PARAMETER SourceSqlCredential
            Allows you to login to servers using SQL Logins as opposed to Windows Auth/Integrated/Trusted. To use:
 
            $scred = Get-Credential, then pass $scred object to the -SourceSqlCredential parameter.
 
            Windows Authentication will be used if DestinationSqlCredential is not specified. SQL Server does not accept Windows credentials being passed as credentials.
            To connect as a different Windows user, run PowerShell as that user.
 
        .PARAMETER Destination
            Destination SQL Server (2005 and above). You must have sysadmin access to both SQL Server and Windows.
 
        .PARAMETER DestinationSqlCredential
            Allows you to login to servers using SQL Logins as opposed to Windows Auth/Integrated/Trusted. To use:
 
            $dcred = Get-Credential, then pass this $dcred to the -DestinationSqlCredential parameter.
 
            Windows Authentication will be used if DestinationSqlCredential is not specified. SQL Server does not accept Windows credentials being passed as credentials.
            To connect as a different Windows user, run PowerShell as that user.
 
        .PARAMETER LinkedServer
            The linked server(s) to process - this list is auto-populated from the server. If unspecified, all linked servers will be processed.
 
        .PARAMETER ExcludeLinkedServer
            The linked server(s) to exclude - this list is auto-populated from the server
     
        .PARAMETER UpgradeSqlClient
            Upgrade any SqlClient Linked Server to the current Version
 
        .PARAMETER WhatIf
            Shows what would happen if the command were to run. No actions are actually performed.
 
        .PARAMETER Confirm
            Prompts you for confirmation before executing any changing operations within the command.
 
        .PARAMETER Force
            By default, if a Linked Server exists on the source and destination, the Linked Server is not copied over. Specifying -force will drop and recreate the Linked Server on the Destination server.
 
        .PARAMETER Silent
            Use this switch to disable any kind of verbose messages
 
        .NOTES
            Tags: WSMan, Migration, LinkedServer
            Author: Chrissy LeMaire (@cl), netnerds.net
            Requires: sysadmin access on SQL Servers, Remote Registry & Remote Administration enabled and accessible on source server.
 
            Limitations: Hasn't been tested thoroughly. Works on Win8.1 and SQL Server 2012 & 2014 so far.
            This just copies the SQL portion. It does not copy files (ie. a local SQLite database, or Microsoft Access DB), nor does it configure ODBC entries.
 
        .LINK
            https://dbatools.io/Copy-DbaLinkedServer
 
        .EXAMPLE
            Copy-DbaLinkedServer -Source sqlserver2014a -Destination sqlcluster
 
            Description
            Copies all SQL Server Linked Servers on sqlserver2014a to sqlcluster. If Linked Server exists on destination, it will be skipped.
 
        .EXAMPLE
            Copy-DbaLinkedServer -Source sqlserver2014a -Destination sqlcluster -LinkedServer SQL2K5,SQL2k -Force
 
            Description
            Copies over two SQL Server Linked Servers (SQL2K and SQL2K2) from sqlserver to sqlcluster. If the credential already exists on the destination, it will be dropped.
    #>

    [CmdletBinding(DefaultParameterSetName = "Default", SupportsShouldProcess = $true)]
    Param (
        [parameter(Mandatory = $true)]
        [DbaInstanceParameter]$Source,
        [PSCredential]$SourceSqlCredential,
        [parameter(Mandatory = $true)]
        [DbaInstanceParameter]$Destination,
        [PSCredential]$DestinationSqlCredential,
        [object[]]$LinkedServer,
        [object[]]$ExcludeLinkedServer,
        [switch]$UpgradeSqlClient,
        [switch]$Force,
        [switch]$Silent
    )
    begin {
        $null = Test-ElevationRequirement -ComputerName $Source.ComputerName
        function Get-LinkedServerLogins {
            <#
            .SYNOPSIS
                Internal function.
 
                This function is heavily based on Antti Rantasaari's script at http://goo.gl/wpqSib
                Antti Rantasaari 2014, NetSPI
                License: BSD 3-Clause http://opensource.org/licenses/BSD-3-Clause
            #>

            param (
                $SqlInstance
            )

            $server = $SqlInstance
            $sourceName = $server.Name

            # Query Service Master Key from the database - remove padding from the key
            # key_id 102 eq service master key, thumbprint 3 means encrypted with machinekey
            $sql = "SELECT substring(crypt_property,9,len(crypt_property)-8) as smk FROM sys.key_encryptions WHERE key_id=102 and (thumbprint=0x03 or thumbprint=0x0300000001)"
            try {
                $smkbytes = $server.Query($sql).smk
            }
            catch {
                Stop-Function -Message "Can't run query." -Target $server -InnerErrorRecord $_
                return
            }

            $sourceNetBios = Resolve-NetBiosName $server
            $instance = $server.InstanceName
            $serviceInstanceId = $server.ServiceInstanceId

            # Get entropy from the registry - hopefully finds the right SQL server instance
            try {
                [byte[]]$entropy = Invoke-Command2 -Raw -Credential $Credential -ComputerName $sourceNetBios -argumentlist $serviceInstanceId {
                    $serviceInstanceId = $args[0]
                    $entropy = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$serviceInstanceId\Security\").Entropy
                    return $entropy
                }
            }
            catch {
                Stop-Function -Message "Can't access registry keys on $sourceName. Quitting." -Target $server ErrorRecord $_
                return
            }

            # Decrypt the service master key
            try {
                $serviceKey = Invoke-Command2 -Raw -Credential $Credential -ComputerName $sourceNetBios -ArgumentList $smkbytes, $Entropy {
                    Add-Type -assembly System.Security
                    Add-Type -assembly System.Core
                    $smkbytes = $args[0]; $Entropy = $args[1]
                    $serviceKey = [System.Security.Cryptography.ProtectedData]::Unprotect($smkbytes, $Entropy, 'LocalMachine')
                    return $serviceKey
                }
            }
            catch {
                Stop-Function -Message "Can't unprotect registry data on $($source.Name)). Quitting." -Target $server -InnerErrorRecord $_
                return
            }

            # Choose the encryption algorithm based on the SMK length - 3DES for 2008, AES for 2012
            # Choose IV length based on the algorithm
            if (($serviceKey.Length -ne 16) -and ($serviceKey.Length -ne 32)) {
                Write-Message -Level Verbose -Message "ServiceKey found: $serviceKey.Length"
                Stop-Function -Message "Unknown key size. Cannot continue." -Target $source
                return 
                
            }

            if ($serviceKey.Length -eq 16) {
                $decryptor = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider
                $ivlen = 8
            }
            elseif ($serviceKey.Length -eq 32) {
                $decryptor = New-Object System.Security.Cryptography.AESCryptoServiceProvider
                $ivlen = 16
            }

            <#
                Query link server password information from the Db.
                Remove header from pwdhash, extract IV (as iv) and ciphertext (as pass)
                Ignore links with blank credentials (integrated auth ?)
            #>

            if ($server.IsClustered -eq $false) {
                $connString = "Server=ADMIN:$sourceNetBios\$instance;Trusted_Connection=True"
            }
            else {
                $dacEnabled = $server.Configuration.RemoteDacConnectionsEnabled.ConfigValue

                if ($dacEnabled -eq $false) {
                    If ($Pscmdlet.ShouldProcess($server.Name, "Enabling DAC on clustered instance.")) {
                        Write-Message -Level Verbose -Message "DAC must be enabled for clusters, even when accessed from active node. Enabling."
                        $server.Configuration.RemoteDacConnectionsEnabled.ConfigValue = $true
                        $server.Configuration.Alter()
                    }
                }

                $connString = "Server=ADMIN:$sourceName;Trusted_Connection=True"
            }

            <# NOTE: This query is accessing syslnklgns table. Can only be done via the DAC connection #>
            $sql = "
                SELECT sysservers.srvname,
                    syslnklgns.Name,
                    substring(syslnklgns.pwdhash,5,$ivlen) iv,
                    substring(syslnklgns.pwdhash,$($ivlen + 5),
                    len(syslnklgns.pwdhash)-$($ivlen + 4)) pass
                FROM master.sys.syslnklgns
                    inner join master.sys.sysservers
                    on syslnklgns.srvid=sysservers.srvid
                WHERE len(pwdhash) > 0"


            # Get entropy from the registry
            try {
                $logins = Invoke-Command2 -Raw -Credential $Credential -ComputerName $sourceNetBios -ArgumentList $connString, $sql {
                    $connString = $args[0]; $sql = $args[1]
                    $conn = New-Object System.Data.SqlClient.SQLConnection($connString)
                    $conn.open()
                    $cmd = New-Object System.Data.SqlClient.SqlCommand($sql, $conn);
                    $data = $cmd.ExecuteReader()
                    $dt = New-Object "System.Data.DataTable"
                    $dt.Load($data)
                    $conn.Close()
                    $conn.Dispose()
                    return $dt
                }
            }
            catch {
                Stop-Function -Message "Can't establish local DAC connection." -Target $server -InnerErrorRecord $_
                return
            }

            if ($server.IsClustered -and $dacEnabled -eq $false) {
                If ($Pscmdlet.ShouldProcess($server.Name, "Disabling DAC on clustered instance.")) {
                    Write-Message -Level Verbose -Message "Setting DAC config back to 0."
                    $server.Configuration.RemoteDacConnectionsEnabled.ConfigValue = $false
                    $server.Configuration.Alter()
                }
            }

            $decryptedLogins = New-Object "System.Data.DataTable"
            [void]$decryptedLogins.Columns.Add("LinkedServer")
            [void]$decryptedLogins.Columns.Add("Login")
            [void]$decryptedLogins.Columns.Add("Password")


            # Go through each row in results
            foreach ($login in $logins) {
                # decrypt the password using the service master key and the extracted IV
                $decryptor.Padding = "None"
                $decrypt = $decryptor.Createdecryptor($serviceKey, $login.iv)
                $stream = New-Object System.IO.MemoryStream ( , $login.pass)
                $crypto = New-Object System.Security.Cryptography.CryptoStream $stream, $decrypt, "Write"

                $crypto.Write($login.pass, 0, $login.pass.Length)
                [byte[]]$decrypted = $stream.ToArray()

                # convert decrypted password to unicode
                $encode = New-Object System.Text.UnicodeEncoding

                # Print results - removing the weird padding (8 bytes in the front, some bytes at the end)...
                # Might cause problems but so far seems to work.. may be dependant on SQL server version...
                # If problems arise remove the next three lines..
                $i = 8; foreach ($b in $decrypted) {if ($decrypted[$i] -ne 0 -and $decrypted[$i + 1] -ne 0 -or $i -eq $decrypted.Length) { $i -= 1; break; }; $i += 1; }
                $decrypted = $decrypted[8..$i]

                [void]$decryptedLogins.Rows.Add($($login.srvname), $($login.Name), $($encode.GetString($decrypted)))
            }
            return $decryptedLogins
        }

        function Copy-DbaLinkedServers {
            param (
                [string[]]$LinkedServer,
                [bool]$force
            )

            Write-Message -Level Verbose -Message "Collecting Linked Server logins and passwords on $($sourceServer.Name)."
            $sourcelogins = Get-LinkedServerLogins $sourceServer

            $serverlist = $sourceServer.LinkedServers

            if ($LinkedServer) {
                $serverlist = $serverlist | Where-Object Name -In $LinkedServer
            }
            if ($ExcludeLinkedServer) {
                $serverList = $serverlist | Where-Object Name -NotIn $ExcludeLinkedServer
            }

            foreach ($currentLinkedServer in $serverlist) {
                $provider = $currentLinkedServer.ProviderName
                try {
                    $destServer.LinkedServers.Refresh()
                    $destServer.LinkedServers.LinkedServerLogins.Refresh()
                }
                catch { }

                $linkedServerName = $currentLinkedServer.Name

                $copyLinkedServer = [pscustomobject]@{
                    SourceServer        = $sourceServer.Name
                    DestinationServer   = $destServer.Name
                    Name                = $linkedServerName
                    Type                = $provider
                    Status              = $null
                    DateTime            = [DbaDateTime](Get-Date)
                }

                # This does a check to warn of missing OleDbProviderSettings but should only be checked on SQL on Windows
                if ($destServer.Settings.OleDbProviderSettings.Name.Length -ne 0) {
                    if (!$destServer.Settings.OleDbProviderSettings.Name -contains $provider -and !$provider.StartsWith("SQLN")) {
                        $copyLinkedServer.Status = "Skipped"
                        $copyLinkedServer

                        Write-Message -Level Warning -Message "$($destServer.Name) does not support the $provider provider. Skipping $linkedServerName."
                        continue
                    }
                }

                if ($destServer.LinkedServers[$linkedServerName] -ne $null) {
                    if (!$force) {
                        $copyLinkedServer.Status = "Skipped"
                        $copyLinkedServer

                        Write-Message -Level Warning -Message "$linkedServerName exists $($destServer.Name). Skipping."
                        continue
                    }
                    else {
                        if ($Pscmdlet.ShouldProcess($destination, "Dropping $linkedServerName")) {
                            if ($currentLinkedServer.Name -eq 'repl_distributor') {
                                Write-Message -Level Warning -Message "repl_distributor cannot be dropped. Not going to try."
                                continue
                            }

                            $destServer.LinkedServers[$linkedServerName].Drop($true)
                            $destServer.LinkedServers.refresh()
                        }
                    }
                }

                Write-Message -Level Verbose -Message "Attempting to migrate: $linkedServerName."
                If ($Pscmdlet.ShouldProcess($destination, "Migrating $linkedServerName")) {
                    try {
                        $sql = $currentLinkedServer.Script() | Out-String
                        Write-Message -Level Debug -Message $sql
                        
                        if ($UpgradeSqlClient -and $sql -match "sqlncli") {
                            $newstring = "sqlncli$($destServer.VersionMajor)"
                            Write-Message -Level Verbose -Message "Changing sqlncli to $newstring"
                            $sql = $sql -replace ("sqlncli[0-9]+", $newstring)
                        }
                        
                        $destServer.Query($sql)
                        $destServer.LinkedServers.Refresh()
                        Write-Message -Level Verbose -Message "$linkedServerName successfully copied."

                        $copyLinkedServer.Status = "Successful"
                        $copyLinkedServer
                    }
                    catch {
                        $copyLinkedServer.Status = "Failed"
                        $copyLinkedServer

                        Stop-Function -Message "Issue adding linked server $destServer." -Target $linkedServerName -InnerErrorRecord $_
                        $skiplogins = $true
                    }
                }

                if ($skiplogins -ne $true) {
                    $destlogins = $destServer.LinkedServers[$linkedServerName].LinkedServerLogins
                    $lslogins = $sourcelogins | Where-Object { $_.LinkedServer -eq $linkedServerName }

                    foreach ($login in $lslogins) {
                        if ($Pscmdlet.ShouldProcess($destination, "Migrating $($login.Login)")) {
                            $currentlogin = $destlogins | Where-Object { $_.RemoteUser -eq $login.Login }

                            $copyLinkedServer.Type = $login.Login

                            if ($currentlogin.RemoteUser.length -ne 0) {
                                try {
                                    $currentlogin.SetRemotePassword($login.Password)
                                    $currentlogin.Alter()

                                    $copyLinkedServer.Status = "Successful"
                                    $copyLinkedServer
                                }
                                catch {
                                    $copyLinkedServer.Status = "Failed"
                                    $copyLinkedServer

                                    Stop-Function -Message "Failed to copy login." -Target $login -InnerErrorRecord $_
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    process {
        if (Test-FunctionInterrupt) { return }
        if ($SourceSqlCredential.username -ne $null) {
            Write-Message -Level Warning -Message "You are using a SQL Credential. Note that this script requires Windows Administrator access on the source server. Attempting with $($SourceSqlCredential.Username)."
        }

        $sourceServer = Connect-SqlInstance -SqlInstance $Source -SqlCredential $SourceSqlCredential
        $destServer = Connect-SqlInstance -SqlInstance $Destination -SqlCredential $DestinationSqlCredential

        $source = $sourceServer.Name
        $destination = $destServer.Name

        if (!(Test-SqlSa -SqlInstance $sourceServer -SqlCredential $SourceSqlCredential)) {
            Stop-Function -Message "Not a sysadmin on $source. Quitting." -Target $sourceServer
            return
        }
        if (!(Test-SqlSa -SqlInstance $destServer -SqlCredential $DestinationSqlCredential)) {
            Stop-Function -Message "Not a sysadmin on $destination. Quitting." -Target $destServer
            return
        }

        Write-Message -Level Verbose -Message "Getting NetBios name for $source."
        $sourceNetBios = Resolve-NetBiosName $sourceserver

        Write-Message -Level Verbose -Message "Checking if Remote Registry is enabled on $source."
        try {
            Invoke-Command2 -Raw -Credential $Credential -ComputerName $sourceNetBios -ScriptBlock { Get-ItemProperty -Path "HKLM:\SOFTWARE\" } -ErrorAction Stop
        }
        catch {
            Stop-Function -Message "Can't connect to registry on $source." -Target $sourceNetBios -ErrorRecord $_
            return
        }

        # Magic happens here
        Copy-DbaLinkedServers $LinkedServer -Force:$force
    }
    end {
        Test-DbaDeprecation -DeprecatedOn "1.0.0" -Silent:$false -Alias Copy-SqlLinkedServer
    }
}