The client was migrating from one domain to another. As such the servers in the their SharePoint farm would no longer sit on domainA, they would site on domain. There were many steps to this which I hope to outline in another blog post. A problem occurred when looking at service account migration.
The farm service account had been updated to “domainB\farm” using stsadm as had other service accounts.
Problem
The problem arose when we navigated to http://CentralAdmin/_admin/ManagedAccounts.aspx and http://intranetstg:1111/_admin/FarmCredentialManagement.aspx. In certain scenarios the following error would be displayed:
Item has already been added. Key in dictionary: 'domain\account' Key being added: 'domain\account'
There seemed to be multiple entries for the same account. This was confirmed by running PowerShell “Get-spmanagedaccount” to list them all. I attempted to delete the accounts using “Remove-spmanagedaccount” but the same error occurred
Solution explanation
I found a number of articles explaining ways to fix it but none of the worked for me. The idea of re-installing the farm seemed over the top. I decided to configure the farm to only use one account throughout as a temporary measure. A new account was created and all components where a previous account had been set were configured to use the temporary account. This was set via http://centraladmin/_admin/FarmCredentialManagement.aspx. (The account for each component was noted so they could be reapplied once the troublesome accoutns were removed). Occasionally the error would occur again after applying but an IIS reset seemingly resolved this. Once all the components (including farm account) were using the temporary account I could then view all the managed accounts again with PowerShell “Get-spmanagedaccount”. It was then just a matter of deleting all the managed accounts other than the temporary one with “Remove-spmanagedaccount”. It is worth noting here that after each delete an IISreset is required. SharePoint seems to get confused as to what accounts are still present and to which domain they belong to without this. Once only one account was left, new accounts were reregistered and applied to the relevant components via http://centraladmin/_admin/FarmCredentialManagement.aspx. Great.
Solution steps
- Create new temporary domain account (domain\temp)
- Set this account to be farm account with stsadm -o updatefarmcredentials -userlogin domain\temp -password temp.
- Set all other components to use this account in http://centraladmin/_admin/FarmCredentialManagement.aspx (iis resets if error reoccurs)
- List and remove accounts other that temp account with powershell ” Get-spmanagedaccount” and Remove-spmanagedaccount” (iis resets if error reoccurs – also watch for domain name changes after reset).
- Recreate managed accounts and assign to relevant components again.
- Tidy up permissions in SQL (temporary account is probably still hanging around which can be removed).
- Relax with Coffee if before 4pm otherwise potentially have a beer.
