Jack of all that is Microsoft, Master of None

July 24, 2008

Got Long MOSS Service Account Names?

Are you planning on creating and using some long-named MOSS service accounts?  Maybe something like TestMOSSMySiteAdmin01 or TestMOSSSSPAppPool01?  Well if you do, then take note – I’ve had two separate occasions where I have an AD account with more than 20 characters as the username, and MOSS isn’t happy about it.  I ran across this a while ago at a client site and thought it was something wrong with their environment, and let it slide… but my buddy and fellow B&R colleague Mr. Bob Fox ran into this yesterday, and was quite surprised that this happens.

So here’s the deal…

You’ve got your account, ‘TestMOSSMySiteAdmin01’ – you go and create it in Active Directory, typically by just specifying the Full Name & User Logon Name, and your screen looks something like this:

 

 

 

 

 

 

 

 

 

 

 

 

 

Notice a couple of things here:

§  The user logon name is exactly what I want – the full account name.

§  But the ‘User Logon Name (per-Windows 2000) has been truncated by one character (character #21)

So now we hop over to our MOSS environment, as we want to bring up a new Web Application for our MySites, and use this account.  We run through the typical web app setup, and specify the full username:

 

 

 

 

 

But when we submit this information, we get a username/password combination error:

 

 

Event thought I’ve entered everything correctly. 

So after ripping my hair out, this is where the Active Directory account’s User logon name (pre-Windows 2000) comes into play.  From what I can tell, this is what MOSS is using when you input a username – so in this case, I have to truncate the name of my service account in the web application setup form:

 

Notice that I had to cut off the last number – to match what AD was showing.  Now, when I submit this, my web application gets created properly.  And to verify that it took the shortened name, I open up IIS, and voila – using the truncated account logon name:

 

 

 

And while I’m running Server 2008 with IIS7, I have confirmed this is the same on Server 2003 with IIS6. 

So in the end, the moral of the blog post is that whenever you can, keep your service account names to under 20 characters.  If you can’t beware of this issue.

-Chris

Technorati Tags:
, , , ,

Advertisements

June 26, 2006

SPS Infrastructure Fix & AD Domain Renames

Not too long ago, I was working on a SharePoint Portal Server project with Jason Medero, and what originally was supposed to be a basic Portal build-out turned into a whole lot more… let me provide you with some background information…

We have a client that provides SharePoint hosting services for a specific industry. The Portal sites they host are for some major, well-known companies that utilize our client’s specific Portal builds for HR & Compliance-related information. Originally, some firm came in and built out the following infrastructure:

Server 1

Server 2

  • Windows Server 2003
  • Active Directory domain controller for domain “ABC”
  • SQL Server 2000 SP3 Installed
  • SharePoint Portal Server 2003 Installed
  • K2.net Server Installed
  • Windows Server 2003
  • Active Directory domain controller for domain “XYZ”
  • SQL Server 2000 SP3 Installed
  • SharePoint Portal Server 2003 Installed
  • K2.net Server Installed

So basically they had all of their eggs in two baskets… and what a mess… talk about throwing best practices out the window!  To make matters even worse, they were not sure how stable their AD infrastructure was, but they didn’t want to recreate all of the user & group objects, especially since that would mean going out to each of the clients they were hosting SPS for and telling them all of their user’s passwords had changed.

So I proposed that they immediately purchase a new server, and we break out their environment in the following way:

Server 1

Server 2

Server 3

  • Windows Server 2003
  • Active Directory Domain Controller for domain “XYZ”
  • Windows Server 2003
  • SQL Server 2003
  • K2.net Server
  • Windows Server 2003
  • SharePoint Portal Server

But there was a caveat – we needed to maintain the old domain name of “ABC”… while we could make the second domain “XYZ” go away, we needed the new domain controller to have all of the user & group objects from both of the old domains but retain the name of the first old domain.

So what did I do… A LOT of testing in my development environment using the Active Directory Domain Rename Tools.  Once I was satisfied with my testing, here’s what I did:

  1. Backup everything and ensure that the backups were functional!
  2. Use the Active Directory Migration Tool v2.0 (ADMT) and migrate all of the users & groups from domain XYZ to domain ABC.
  3. Decommission the XYZ domain (via dcpromo).

So I then had all of the users & groups in the one domain – the domain with the name I needed.  Since I couldn’t bring up a new DC with the same domain name, I used the Rename Tools.  In a nutshell, here are the steps:

  1. Perform a rename domain on the old server.  The domain name will be changed to OLDABC.com
  2. After the domain is renamed, bring up the new domain controller, hosting the new ABC.com domain.
  3. Create a trust between both domains.
  4. Install the ADMT.
  5. Perform the migrations from OLDABC to ABC
  6. DCPromo the old domain controller.
  7. Cleanup.

So basically, yes – you can take a domain, rename it, then immediately bring up a new domain controller with the old domain’s name.  If anyone is interested in more of the step-by-step details, let me know… I have them all documented.

Blog at WordPress.com.