Home > MOSS, SharePoint 2007 > Problems after Changing Service Accounts

Problems after Changing Service Accounts

Recently we changed service accounts at one our of client SharePoint environment, this went through without a hitch. Just follow the MSDN article and you should be good to go.

After changing service accounts, we disabled the old service accounts in AD and The SharePoint farm was up and running fine. After 45 days we deleted the service accounts in AD, This is when the problems started. The farm became completely unstable, few of the symptoms were

  1. The SharePoint sites were extremely slow to load,
  2. Application Server Administration Service Timer Job was struck at initialized and eventually failed,
  3. Application Server Timer Job was struck at initialized and eventually failed,
  4. The event log was full of errors reading

Synchronization for Shared Services Provider ‘SSP Name’ has failed. The operation will be retried.

Reason: The specified account name is invalid.
Parameter name: account

All these errors made the farm very unstable and eventually the SharePoint farm shut down!

I rebooted the servers and the SharePoint sites came back online for few minutes, but went down again once the timer jobs failed again.

This is when I started digging deep, the diagnostic logs had the following error:

NTAccount ‘Account Name‘ could not be translated to a SID. Exception: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.     at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)     at System.Security.Principal.NTAccount.Translate(Type targetType)     at Microsoft.Office.Server.Utilities.WindowsSecurity.ValidateAccount(NTAccount account, Boolean throwIfInvalid

This account was the old service we replaced before and SharePoint was still trying to convert it into a SID. As it was not able to convert the account into valid, all the timer jobs were failing. This service account still being cached in the SharePoint Configuration cache. So the fix to the problem is to clear the SharePoint configuration Cache.

Even though your service accounts was disabled in AD, SharePoint was  able to convert it into a Valid SID. So the farm was running without any gliches but Once the service accounts were deleted in AD, SharePoint was no longer able to convert the service account into a valid SID. Hence the problems.

Clearing the SharePoint Configuration Cache fixed the problem, I will write a post on how to clear the SharePoint configuration cache soon.

This problem would happen not only when changing service accounts and deleting them at a later time but also when you upgrade the farm to a different domain. SharePoint might still have the old accounts in the cache and it will cause problems. So before deleting accounts, downtime should be planned and farm should be monitored for any anomalies.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: