There once was a file and print server that needed to be a domain controller. Install the dns service, then dcpromo it.
I forgot to take note that the dcpromo process applies a security template for domain controllers in the system. So accounts used by third party services may need to have the “allow logon as service” right assigned to it.
The easiest way to make this happen is go into the service, try to start it, watch it fail. Then go to the password, type it in (twice), then click ok. You should see a popup dialog box indicating that the account has been given the above mentioned privilege.
The service in my case was Backup Exec.