I have been playing with SQL Server a lot lately, but not from the programmatic side but rather from the DBA side.  Don't get me wrong, I like the programming side a bunch more, but we had the need to to do some database maintenance and upgrades among other things.  We were running SQL Server 2000 SP4 + Reporting Services on a domain controller under much of the default installation settings.  For instance, the ReportServer service was running under the NETWORK SERVICE account.

Upon attempting to upgrade this server to SQL Server 2005 I was greeted with a message identifying that it could not be upgraded with the NETWORK SERVICE as the report service account on a domain controller.  Therefore, I had to set out to change the account associated with the Reporting Services service account.  Changing the account, however, is not as easy as simply changing the account.  If you simply change the user account, you will probably be greeted with a message akin to

The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. (rsReportServerDisabled) Get Online Help
Bad Data.

In addition to the various rights and permissions needed for the new account, you need to make sure you backup your symmetric keys before changing the account.  If you changed the account already, you'll have to change it back to NT AUTHORITY\NETWORK SERVICE (see note below).  Once done, follow the steps below (as found in the support.microsoft.com website KB842421)

1. Start the Report Server Windows service and Report Server Web service
2. Backup your encryption keys via
   RSKeyMgmt -e -f filename -p strongPassword
3. Remove the reference to the encryption key (locate the InstallationID in the “%ProgramFiles%\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer\RSReportServer.config“ file
   RSKeyMgmt -r InstallationIDGuid
4. Stop IIS
5. Stop the Report Server Windows service
6. Change the user account on the Report Server Windows service
7. Start IIS
8. Start the Report Server Windows service
9. Apply the encryption key previously backed up
   RSKeyMgmt -a -f filename -p strongPassword

That fixed the issue for me - what a relief!

NOTE: Changing the account back to NT AUTHORITY\NETWORK SERVICE (something I had to do) isn't as obvious as I would have liked.  Rather than performing a lookup on the user and not finding it on the domain controller, you have to know of the account's existence.  Type it in directly on the 'Log On' tab.  You won't know (or probably won't know) the password.  Simply blank out the password and the confirmation field.  The system will automatically associate the appropriate credentials for you.  This wasn't apparent, but I'm glad to have figured it out.  There have been so many times where I wanted to lookup accounts from the BUILTIN or NT AUTHORITY security groups but they simply wouldn't show up in the 'Browse' dialog on a domain controller.  Now I know and feel much better about it. :)