How to Configure Active Directory on a Home Network
This article was previously published under Q260362
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
This article has been archived. It is offered "as is" and will no longer be updated.
This article contains information to simplify the installation of Active Directory on a home network by identifying common configuration issues. For additional information about any of the information in this article, refer to the Windows 2000 online Help.
For more information about Active Directory Logical Structure, refer to the following Microsoft web site:
http://technet2.microsoft.com/WindowsServer/en/library/2b006080-870f-4154-a038-10a628ded8cb1033.mspx?mfr=trueThis article describes the following common issues you may encounter when you install Active Directory on a home network:
- Internet Protocol (IP) configuration
- Active network connection during installation
- "Always on" connection
- DNS configuration
- Client connections
- NetBIOS over TCP/IP
- High-Encryption Pack and Internet connection software
258717 Configuring Windows 2000 Professional to Work in a Peer-to-Peer Workgroup
IP ConfigurationThe Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.
You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.
To configure your IP configuration, use the following steps:
- Right-click My Network Places, and then click Properties.
- Right-click Local Area Connection, and then click Properties.
- Click Internet Protocol (TCP/IP), and then click Properties.
- Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:
- Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if you are not going to configure a dedicated DNS server.
- If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list.
- Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name.
- Make sure that the Register this connection's addresses in DNS check box is selected.
Active Network Connection Required During InstallationThe installation of Active Directory requires an active network connection. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
259567 'Active Directory Installation Failed' Error Message When You Use Dcpromo.exe to Promote a Server
"Always On" ConnectionAn "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended to enable clients to obtain Internet access. If you do not use an "always on" connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet.
NOTE: For additional information, search the Windows 2000 online Help by typing the keywords NAT and Internet Connection Sharing in the Help index.
To access the Active Directory domain from a remote connection over the Internet, make a Virtual Private Networking (VPN) connection to the server. VPN connections are enabled by default with Windows 2000 Routing and Remote Access.
DNS ConfigurationA DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network:
- Root zone entries
- DNS forwarders
Root Zone EntriesExternal DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones.
To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the "dot" zone exists, delete it.
DNS ForwardersDNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider's DNS server. You can only configure DNS forwarders if no root zone entry is present. To configure forwarders on the DNS server:
- Start the DNS Management console.
- Right-click the name of the server, and then click Properties.
- On the Forwarders tab, click to select the Enable Forwarders check box.
- Type the appropriate IP addresses for the DNS servers that may be accepting forwarded requests from this DNS server. The list reads top-down in order, so place a preferred DNS server at the top of the list.
- Click OK to accept the changes.
237675 Setting Up the Domain Name System for Active Directory
Client ConnectionsClients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain's DNS server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clients to access DNS addresses on the Internet.
NetBIOS Over TCP/IPA common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources.
For more security-related information, refer to the following Microsoft Security Web site:
High-Encryption Pack and Internet Connection SoftwareIf your Internet connection requires the installation of an Internet connection program from your ISP, be aware that older versions of these connection programs that are not specifically designed to work with Windows 2000 may cause startup issues if you install them on a Windows 2000-based computer.
Microsoft has published a supported workaround to this issue on the following Microsoft Web site:
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
244671 Error Message: System Cannot Log You on Because Domain <Computername> Is Not Available
255669 Internet Explorer Administration Kit Builds Replace 128-Bit Encryption in Windows 2000
Article ID: 260362 - Last Review: 12/05/2015 19:50:10 - Revision: 7.4
Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server
- kbnosurvey kbarchive kbenv kbhowto KB260362