TFS2010 Configuration issue in a Windows 2000 domain

October 12, 2010

I did encounter an error while configuring Team Foundation Server 2010 on a Windows Server 2008 R2 machine (64 bit) which was joined to a Windows 2000 domain.

The error came up while running the system check verification in the TFS2010 configuration wizard.

TF255435: This computer is a member of an Active Directory domain, but the domain controllers are not accessible.  Network problems might be preventing access to the domain. Verify that the network is operational, and then retry the readiness checks.  Other options include configuring Team Foundation Server specifying a local account in the custom wizard or joining the computer to a workgroup.  http://go.microsoft.com/fwlink/?LinkID=164053&clcid=0x409

Note that the link will just bring you to the microsoft.com site and won’t help you in solving the error.

I first stumbled on this MSDN forum article, but I wasn’t really confident that this “solution” would work in my situation. The new virtual machine was setup correctly in the domain from the start and wasn’t conflicting with some other machine(s).

Digging deeper in the configuration logfile gave me this:

Exception Message: The trust relationship between this workstation and the primary domain failed.
(type SystemException)

Exception Stack Trace:    at System.Security.Principal.NTAccount.TranslateToSids(IdentityReferenceCollection sourceAccounts, Boolean& someFailed)
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.NTAccount.Translate(Type targetType)
   at Microsoft.TeamFoundation.Common.UserNameUtil.GetMachineAccountName(String hostName)
   at Microsoft.TeamFoundation.Admin.VerifyDomainAccess.Verify()

Together with the fact that SIDs could not be resolved correctly on this machine when editing local groups it was clear that there was something wrong with the AD communication.

Apparently there’s a known problem with the LookupAccountName function (only on Windows Server 2008 R2 computers joined to a Windows 2000 domain) to retrieve a security identifier (SID) for a domain account.

After applying the available hotfix (KB 976494), everything was working again and the system check in the TFS2010 configuration wizard succeeded without warnings. Problem solved!

Again a confirmation for me that installing/configuring Team Foundation Server in an enterprise environment is always a challenge because there are so many different platforms involved: Active Directory, Internet Information Server, SQL Server, Reporting Services, Analysis Services, SharePoint, …