MOSS doesn't like having the indexer role moved

We needed to expand our MOSS farm from one server to two so that we could have the search and indexing performed by a second machine, as we were putting the one poor server under significant periodic load. So, we stood up the second instance and joined it to the farm, and attempted to assign the search and indexing roles to this new instance. After doing so, when we would go to the search settings link in the SSP, we got the following message:

“The search service is currently offline. Visit the Services on Server page in SharePoint Central Administration to verify whether the service is enabled. This might also be because an indexer move is in progress.”

I searched and found wildly different solutions for fixing this. I ended up doing the following things to correct it:

1. On the new index server, I had to stop and restart the Office Search role after the initial move. I did this with stsadm via the following commands: 1) stsadm -o osearch -action stop 2) stsadm -o osearch -action start -role IndexQuery -farmserviceaccount DOMAIN\accountname -farmservicepassword PASSWORD
   
2. Access the SSP administration page (http://url-of-central-admin/_admin/managessp.aspx), and on the drop-down menu for the SSP in question, choose Edit Properties.
3. In the section titled Process Accounts with access to this SSP, add the search service account to the dialog box.
   
4. In the section titled Index Server, select the new index server for the farm.
5. Click OK to apply your changes.
6. Reboot the index server and restart full crawls of the content sources.

MOSS and Kerberos on Windows Server 2008 - a gotcha

I've been through the Kerberos mill repeated times--getting the SPNs lined up, making sure the computer and service accounts are trusted for delegation, making sure the times on the servers are within 15 minutes, etc. But I couldn't make Kerberos authentication work on my MOSS web applications on a Windows Server 2008 server.

I opened a ticket on this with Microsoft and discovered that IIS 7.0 has kernel mode authentication turned on by default. MOSS has a problem with this and it will completely break Kerberos for those web applications. To turn this off:

In Server Manager, select the web application for which you want to fix Kerberos authentication:



Select its Authentication tool:



Now choose Advanced Settings:



Finally, make sure the "Enable Kernel-mode authentication" checkbox is UNCHECKED:



Apply your changes and you should be good to go. It is not necessary to reset IIS or bounce the application pool to make it take effect. Don't forget that you still have to configure the web in MOSS Central Administration to use Kerberos (Negotiate) authentication instead of NTLM in addition to all the other normal domain-based Kerberos setup steps. Cheers.

** UPDATE 24 Mar 2009 **
Apparently the kernel mode authentication setting also breaks NTLM authentication on WS 2008, so this is not specific to making Kerberos work.