A domain controller could not be contacted for the domain that contains an account for this computer

Sorry no blog posts for a while. I have been pretty busy getting my hands dirty on some projects and helping out with the SQL 2008 Academy here in Dublin.

I've just been upgrading the Infrastructure at Prodata here to Windows 2008 and Hyper-V with a view to automating deployments of SQL to the test and customer lab which is all virtual now. The domain controllers were all windows 2003 and all VPC images were Virtual Server 2005. In the new setup we are using windows 2008 domain controllers, Hyper-V on a nice dell MD3000 and System Centre.

One initial stumbling block was Windows 2008 would just not install an additional domain controller to join the 2003 domain. When running "dcpromo" it would go 3/4 through the process and then fail with the cryptic message "A domain controller could not be contacted for the domain that contains an account for this computer."

The computer account was of course in AD and following the usual steps of join a workgroup and back to domain did not help.

I found a message about security failure in the security log on the domain controller. "An account failed to log on... Login Type (3)"

This led me to look in the Domain Controller Security policy and the "Access this Computer from the Network" User Rights Assignment.  I added the computer account for the new domain controller "DC2$" manually to this  rights group and hey presto worked perfectly. happy Days ;-)

I dunno why this didn't work out of the box. I am guessing some over zealous lock down on the Group Policy. It would be nice if "dcpromo" could have been a bit more helpful via the GUI.