How to Configure Active Directory on a Home Network (260362)

MORE INFORMATION

IP Configuration

The Active Directory domain controller should point to its own IP address in the DNS server list to prevent possible DNS connectivity issues.

You need a dedicated IP address to install Active Directory. If you do not use a dedicated IP address, DNS registrations may not work and Active Directory functionality may be lost. If the computer is a multi-homed computer, the network adapter that is not connected to the Internet can host the dedicated IP address.

To configure your IP configuration, use the following steps:

1. Right-click My Network Places, and then click Properties.
2. Right-click Local Area Connection, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced, and then click the DNS tab. The DNS information should be configured as follows:
   • Configure the DNS server addresses to point to the DNS server. This should be the computer's own IP address if it is the first server or if you are not going to configure a dedicated DNS server.
   • If the Append these DNS suffixes (in order) option is selected for the resolution of unqualified names, the Active Directory DNS domain name should be listed first, at the top of the list.
   • Verify that the information in the DNS Suffix for this connection box is the same as the Active Directory domain name.
   • Make sure that the Register this connection's addresses in DNS check box is selected.

Active Network Connection Required During Installation

The installation of Active Directory requires an active network connection. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

"Always On" Connection

An "always on" connection (for example, a cable modem or digital subscriber line [DSL] line) is recommended to enable clients to obtain Internet access. If you do not use an "always on" connection, you must configure a demand-dial interface using Network Address Translation (NAT) for clients to access the Internet.

NOTE: For additional information, search the Windows 2000 online Help by typing the keywords NAT and Internet Connection Sharing in the Help index.

To access the Active Directory domain from a remote connection over the Internet, make a Virtual Private Networking (VPN) connection to the server. VPN connections are enabled by default with Windows 2000 Routing and Remote Access.

DNS Configuration

A DNS server that supports Active Directory DNS entries (SRV records) must be present for Active Directory to function properly. You need to keep in mind the following DNS configuration issues when you install Active Directory on a home network:

• Root zone entries
• DNS forwarders

Root Zone Entries

External DNS queries to the Internet do not work if a root zone entry exists on the DNS server. To resolve this issue, remove the root zone entry. This entry is identified with a dot (.) in the DNS Manager forward lookup zones.

To check for the existence of the root zone entry, open the forward lookup zones in the DNS Management console. You should see the entry for the domain. If the "dot" zone exists, delete it.

DNS Forwarders

DNS forwarders are necessary to ensure that all DNS entries are correctly sent to your Internet service provider's DNS server. You can only configure DNS forwarders if no root zone entry is present. To configure forwarders on the DNS server:

1. Start the DNS Management console.
2. Right-click the name of the server, and then click Properties.
3. On the Forwarders tab, click to select the Enable Forwarders check box.
4. Type the appropriate IP addresses for the DNS servers that may be accepting forwarded requests from this DNS server. The list reads top-down in order, so place a preferred DNS server at the top of the list.
5. Click OK to accept the changes.

For additional information about DNS issues, click the article number below to view the article in the Microsoft Knowledge Base:

Client Connections

Clients should connect to the Active Directory domain controller using an internal network on a second network adapter. This prevents any issues that may arise if clients obtain an IP address from your Internet service provider (ISP). You can achieve this configuration with a second network adapter on the server connected to a hub. You can use NAT or ICS to isolate the clients on the local network. The clients should point to the domain's DNS server to ensure proper DNS connectivity. The DNS server's forwarder will then allow the clients to access DNS addresses on the Internet.

NetBIOS Over TCP/IP

A common security consideration with an active connection to the Internet is the restriction of NetBIOS connections on the network adapter that is directly connected to the Internet. If clients connect on a second network adapter, you can safely disable NetBIOS over TCP/IP on the external network adapter, and prevent any attempts of unauthorized NetBIOS access by outside sources.

For more security-related information, refer to the following Microsoft Security Web site:

High-Encryption Pack and Internet Connection Software

If your Internet connection requires the installation of an Internet connection program from your ISP, be aware that older versions of these connection programs that are not specifically designed to work with Windows 2000 may cause startup issues if you install them on a Windows 2000-based computer.

Microsoft has published a supported workaround to this issue on the following Microsoft Web site: The product update is titled "Critical Update, March 21, 2000."

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base: