Friday, 30 September 2011

Sharepoint 2010 - Change Domain Membership

Hello,

Couple of days ago I had to change domain membership of a single server Sharepoint 2010 farm with separate database server. Browsing the Internet I found little data about this and most recommendations were based on backup/reinstall/restore procedure.

However, I thought I would give it a try with plain domain membership change and with switching Sharepoint 2010 service accounts. I encountered many problems and I will mentioned some of them here. Here's the procedure:

  • Perform full backup of Sharepoint 2010 farm from Sharepoint Central Administration
  • Create new service accounts in the destination domain
  • Make sure you know your Sharepoint 2010 farm passphrase which you entered when you initially provisioned the farm
  • Change the domain membership of  SQL database server first (in my case the SQL database was running under LocalSystem account so I had no issues with that)
  • Give the future farm account from the new domain sysadmin permissions to the SQL database engine (actually only security admin and dbcreator permissions are necessary)
  • At this point your Sharepoint is not working
  • Run stsadm -o setconfig db with the -connect switch to connect to your Sharepoint configuration database. You will have to use your new domain farm credentials here.
  • After this step, the Central Administration site should be working, however, your Sharepoint box is still in the old domain. In my case I had the domain trust established between the old and new domains.
  • Create the new Sharepoint managed accounts by selecting the accounts from the new domain: Central Administration > Security > General Security > Configure Managed Accounts
  • Change the service accounts to reflect the newly added managed accounts: Central Administration > Security > Change Service Accounts
  • Add your farm account to the local administrators group on the Sharepoint server
  • Change Sharepoint box domain membership
  • At this point, your Sharepoint sites should be accessible. However, in my case they were not working and I received 404 not found message. I realized that after I reconnected the Sharepoint farm to the configuration database, custom solutions that these sites were using were not available any more. Thankfully, I had a full farm backup and managed to restore only the farm solutions. I redeployed the solutions from the Central Administration and the sites worked!
  • At one point, after a couple of iisresets and server restarts I received "The trial period has expired" error message when I opened the Sharepoint sites. Running Sharepoint Configuration Wizard again solved this issue.
  • Looking at the "Central Administration > Manage services on service" I saw only a couple of services listed while I know there should be more. Running Install-SPService from Powershell re-registered these services. This is important step for Sharepoint Service Applications to work properly.
  • Almost all Service Applications were started and I could access the management pages for them except the two most important ones, User Profile Synchronization service and Search service. No matter what I did I could not fix them or even restore them. I ended up creating and provisioning the new services from powershell. There aren't any user generated data in these services so recreating them was not a big issue.
 Here are a few links that helped me solve problems with provisioning new service applications:

This one helped me to solve Sharepoint Server Search instance reporting "Service is offline" when trying to start/provision.
http://msdnrss.thecoderblogs.com/2011/06/unable-to-create-a-search-service-application-errors-were-encountered-during-the-configuration-of-the-search-application/

This is actually about multitenancy, but has some excellent code snippets that helped me provision User Profile Synchronization and Search service.
http://www.harbar.net/articles/sp2010mt5.aspx

I trully hope that these steps will help someone avoid the pain I suffered :)

Regards,
Dinko

6 comments:

  1. Dinko, I'm decided to follow your recipe and I'm getting the preparations done and check if all steps are clear to me. When are you actually changing the domain membership of your server? Once you changed it, you logon with domain user with local administrator rights or are there any further restriction... I'm a bit scared!
    Martin

    ReplyDelete
  2. Hi Martin. The point at which I change the domain membership of Sharepoint box is clearly stated in the procedure - "Change Sharepoint box domain membership". After the change I could log in with domain administrator account from the new domain which is also a member of local Administrators group, but I guess any user account from the new domain that is also in the local Administrators group should be sufficient.

    With all the previous steps in place, your sites should be accessible after the domain switch.

    Having a full farm backup and perhaps testing the restore on a separate environment will encourage you to start the process knowing that you have a valid backup which you can use to rollback the environment!

    Good luck!

    ReplyDelete
  3. Thank you Dinko. I had my doubts, because you where assigning the new domain accounts before you actually change the membership of the server to that new domain. And I wonder how you can? Did you have trusted domains?

    I took a slightly different path and was quite confident, but now I'm stuck with connecting the Configuration database with stsadm. The user I'm logged on with (historically Moss_Admin, although it's 2010, with local administrator rights) is not allowed to open the config database. Login failure. The odd thing is that the error refers to loggin into the "WSS_Config" database; while looking up the registry the config database states "SharePoint_Config".

    Confused and sweating,
    Martin

    ReplyDelete
  4. Thanks for the procedure. However, can I still do this if my 2 domains (old and new) are one completely separate networks ? (no domain trust available)

    Thanks
    Richard

    ReplyDelete
    Replies
    1. did you ever sort this issue with the Separate domains ? as I am in the process of doing this myself ?

      Delete
  5. No matter what I did I could not fix them or even restore them.

    IT support

    ReplyDelete