Article ID: 260362 - View products that this article applies to.
This article was previously published under Q260362
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/win2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
This article contains information to simplify the installation of Active Directory on a home network by identifying common configuration issues. For additional information about any of the information in this article, refer to the Windows 2000 online Help.
For more information about Active Directory Logical Structure, refer to the following Microsoft web site:
http://technet2.microsoft.com/WindowsServer/en/library/2b006080-870f-4154-a038-10a628ded8cb1033.mspx?mfr=trueThis article describes the following common issues you may encounter when you install Active Directory on a home network:
(http://support.microsoft.com/kb/258717/EN-US/ )Configuring Windows 2000 Professional to Work in a Peer-to-Peer Workgroup
IP ConfigurationThe Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.
You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.
To configure your IP configuration, use the following steps:
Active Network Connection Required During InstallationThe installation of Active Directory requires an active network connection. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/259567/EN-US/ )'Active Directory Installation Failed' Error Message When You Use Dcpromo.exe to Promote a Server
"Always On" ConnectionAn "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended to enable clients to obtain Internet access. If you do not use an "always on" connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet.
NOTE: For additional information, search the Windows 2000 online Help by typing the keywords NAT and Internet Connection Sharing in the Help index.
To access the Active Directory domain from a remote connection over the Internet, make a Virtual Private Networking (VPN) connection to the server. VPN connections are enabled by default with Windows 2000 Routing and Remote Access.
DNS ConfigurationA DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network:
Root Zone EntriesExternal DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones.
To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the "dot" zone exists, delete it.
DNS ForwardersDNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider's DNS server. You can only configure DNS forwarders if no root zone entry is present. To configure forwarders on the DNS server:
(http://support.microsoft.com/kb/237675/EN-US/ )Setting Up the Domain Name System for Active Directory
Client ConnectionsClients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain's DNS server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clients to access DNS addresses on the Internet.
NetBIOS Over TCP/IPA common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources.
For more security-related information, refer to the following Microsoft Security Web site:
High-Encryption Pack and Internet Connection SoftwareIf your Internet connection requires the installation of an Internet connection program from your ISP, be aware that older versions of these connection programs that are not specifically designed to work with Windows 2000 may cause startup issues if you install them on a Windows 2000-based computer.
Microsoft has published a supported workaround to this issue on the following Microsoft Web site:
http://update.microsoft.comThe product update is titled "Critical Update, March 21, 2000."
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/244671/EN-US/ )Error Message: System Cannot Log You on Because Domain <Computername> Is Not Available
(http://support.microsoft.com/kb/255669/EN-US/ )Internet Explorer Administration Kit Builds Replace 128-Bit Encryption in Windows 2000