This article contains information to simplify the installation of Active Directory on a home network by identifying common configuration issues. For additional information about any of the information in this article, refer to the Windows 2000 online Help.
For more information about Active Directory Logical Structure, refer to the following Microsoft web site:
This article describes the following common issues you may encounter when you install Active Directory on a home network:
- Internet Protocol (IP) configuration
- Active network connection during installation
- "Always on" connection
- DNS configuration
- Client connections
- NetBIOS over TCP/IP
- High-Encryption Pack and Internet connection software
An alternative to using Active Directory in a home network is the use of a peer network. For additional information about using Windows 2000 in a peer workgroup, click the article number below to view the article in the Microsoft Knowledge Base:
Configuring Windows 2000 Professional to Work in a Peer-to-Peer Workgroup
The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.
You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.
To configure your IP configuration, use the following steps:
- Right-click My Network Places, and then click Properties.
- Right-click Local Area Connection, and then click Properties.
- Click Internet Protocol (TCP/IP), and then click Properties.
- Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:
- Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if you are not going to configure a dedicated DNS server.
- If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list.
- Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name.
- Make sure that the Register this connection's addresses in DNS check box is selected.
Active Network Connection Required During Installation
The installation of Active Directory requires an active network connection. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
'Active Directory Installation Failed' Error Message When You Use Dcpromo.exe to Promote a Server
"Always On" Connection
An "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended to enable clients to obtain Internet access. If you do not use an "always on" connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet.NOTE
: For additional information, search the Windows 2000 online Help by typing the keywords NAT
and Internet Connection Sharing
in the Help index.
To access the Active Directory domain from a remote connection over the Internet, make a Virtual Private Networking (VPN) connection to the server. VPN connections are enabled by default with Windows 2000 Routing and Remote Access.
A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network:
- Root zone entries
- DNS forwarders
Root Zone Entries
External DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones.
To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the "dot" zone exists, delete it.
DNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider's DNS server. You can only configure DNS forwarders if no root zone entry is present. To configure forwarders on the DNS server:
- Start the DNS Management console.
- Right-click the name of the server, and then click Properties.
- On the Forwarders tab, click to select the Enable Forwarders check box.
- Type the appropriate IP addresses for the DNS servers that may be accepting forwarded requests from this DNS server. The list reads top-down in order, so place a preferred DNS server at the top of the list.
- Click OK to accept the changes.
For additional information about DNS issues, click the article number below to view the article in the Microsoft Knowledge Base:
Setting Up the Domain Name System for Active Directory
Clients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain's DNS server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clients to access DNS addresses on the Internet.
NetBIOS Over TCP/IP
A common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources.
For more security-related information, refer to the following Microsoft Security Web site:
High-Encryption Pack and Internet Connection Software
If your Internet connection requires the installation of an Internet connection program from your ISP, be aware that older versions of these connection programs that are not specifically designed to work with Windows 2000 may cause startup issues if you install them on a Windows 2000-based computer.
Microsoft has published a supported workaround to this issue on the following Microsoft Web site:
The product update is titled "Critical Update, March 21, 2000."
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Error Message: System Cannot Log You on Because Domain <Computername> Is Not Available
Internet Explorer Administration Kit Builds Replace 128-Bit Encryption in Windows 2000