Razorback
NewsProjectsGuidesResourcesContact
 Guide Index Quick Links


Setting Up a Windows 2000 Domain Controller

So, I suppose you're in a position where you've accumulated quite a ton of old computers, and you have all these CD-R discs or flash drives being passed around each of them. Managing them all can grow quite cumbersome, and at some point you've gotta ask yourself "is there a better way I can get Quake or Office loaded on that Socket 5 machine of mine?"

Why, yes, there is. In fact, MS-DOS and Windows have a long history of being able to connect computers with each other using standard RJ-45 Ethernet cables linked to a hub or switch. It can be as simple as setting up a workgroup file share which several computers can connect to in a small network, but if you really want to step things up, you may want to consider setting up a domain controller.

In Windows networking lingo, a domain is a step above a workgroup; not only does it help organize shared resources on a local area network, it offers plenty of additional functions that aim to provide more consistency across each machine which joins it. User accounts can be managed from one machine, and domain members can use the same credentials to log on anywhere in the network. This centralized logon scheme also opens up several other possibilities, including greater control over shared resource permissions, logon scripts for mapping network drives and time synchronization, and roaming profiles for replicating user configurations across machines.

But why should any of that matter to you? Aren't you just one person? All that's needed is one network share to call it a day, right? Technically, that is very much all you have to do (and make sure all your clients have the matching protocol for your server). Right click a folder, select Sharing, fill out some stuff, and just like that, every computer in your local area network can access the files you've loaded into it.

Even in a single-user environment, though, a domain controller can significantly improve your quality of life, even if it is somewhat of a chore to set up. For sure, setting up a domain controller in Windows 2000 requires significantly more effort than its predecessor, as "classic" domains were designed around older, simpler technologies like NetBIOS. You may even need to acquire some additional hardware for the job, but don't worry, this guide has you covered otherwise.

For Best Results

Cisco 8 port network switch

Wi-Fi really isn't gonna cut it. You should plan out how you're going to connect your computers using wired Ethernet networking. If you happen to have Ethernet cables running through your walls, you'll be very well off, but realistically you may be running all of your machines in just one room anyway, so don't fret if you don't have such a convenience. I used to have to run a long Ethernet cable across the house just for my switch to reach the router elsewhere.

Get an Ethernet switch that supports VLAN creation through a console or web control panel; "smart" switches often have this capability. Two normal switches ought to work too, but will add more clutter to your setup.

The domain controller should have two network interfaces if you plan to grant your target computers internet access and don't want your own DNS/DHCP servers interfering with the ones in your main router. Windows 2000 has a built-in routing service that will abstract the outer internet to your machines without letting anything outside your VLAN access it. If you prefer, you can set up a different conventional computer with two NICs as a router by installing pfSense or OpenWRT. These are good modern solutions for routing VLAN traffic that you can use instead of Windows 2000's own. If you are using a virtual machine, one NIC can connect to a bridged adapter leading to the VLAN your other computers will connect to, and the other can be set to use NAT; all you'd need from it is to bring the internet over to the clients.

If you prefer to use a modern Linux-based solution for setting up DNS, DHCP, and routing, your domain controller will only need one network interface. When you run the dcpromo wizard, you can tell it that you will manage DNS yourself if you get a warning about that. Check this guide for a quick tutorial on getting such services running using dnsmasq and iptables.

Considering you may be managing a large amount of data as you grow your network of old computers, the data should be stored on a separate hard disk. A smaller disk can be used for storing the operating system installation. If you are creating a virtual machine, set the boot drive to 2-8GB, and the data drive to 128GB.

If you have one available, use a fast dual CPU system. Like its predecessors, Windows 2000 is designed to take advantage of multiple processors running symmetrically in one computer, so you'll at least make better use of yours by having it be a domain controller. If you will be using a virtual machine, you could assign two logical CPUs to it if you've got the room for that.

Use Windows 2000 Server with Service Pack 4 slipstreamed! This version contains many useful updates to better ensure stability, and comes with some newer drivers as well - ATI Rage XL comes to mind, a very popular video chipset for servers.

Getting Started

If you will be using a VLAN to separate your network of old computers from everything else, make sure they cannot access the other devices in your house, and vice versa. You'll have to configure the VLAN on your switch or router by using a serial console or web interface. If you want Windows 2000 to handle DNS and DHCP, do not enable these in the VLAN you plan to create. If you are not familiar with VLANs, look it up; there are good explanations out there. A VLAN essentially creates logical partitions of a local area network similarly to how you would partition a hard disk.

Once you have decided on a candidate for a domain controller, connect the network interfaces to the appropriate ports - one for your isolated network or VLAN, another going outwards to the internet. Now, get your Windows 2000 Server CD and boot from it. Proceed as your normally would until you reach the licensing options; I assume you are familiar with most of the setup process otherwise.

Windows 2000 licensing modes: Per server, 2000 concurrent connections

For an internal home network, I wouldn't even bother trying to gather legitimate client access licenses; it's not gonna happen. Just set the number of concurrent connections to a high arbitrary number like 2,000. Pshahahaha...

DNS and DHCP optional components selected

You will be prompted to select some optional components for installation. The most useful ones will be located in the Networking Services category. Unless you will rely on a different DNS and DHCP server, you should install the DNS and DHCP services here. Note that while your router is very likely to update its DNS records if a computer is connecting through DHCP, it may not give you manual control over DNS records. This can be a letdown because an Active Directory domain expects a DNS record, if not an entire zone, which points to it; not just the computer itself. This is why setting up the server to be part of an isolated VLAN is necessary for best results, as you'd also have two DHCP servers conflicting with each other.

If you do not want to bother with setting up another DHCP server, you can get away with only installing the DNS component, but you'll have to manually set each and every one of your clients' preferred DNS servers to the static IP address you'll have to assign to the domain controller. The alternate DNS server set on your clients will then have to be the one coming from your router, which should have an embedded DNS server.

After going through some more forms like usual, Windows 2000 may find some drivers for your network adpters already. If this is the case, you may try to configure them here, but you'll have to be mindful of their MAC addresses as one must be set up differently from the other. This will be explained later. Whatever the case, do not attempt to join a domain, as we have yet to create it.

Installing driver for network card in Device Manager

After logging on for the first time following a reboot, disable the "Configure Your Server" dialog, as it's not really going to be useful here. If you haven't already, you should install drivers for the network cards you have installed right now. Windows 2000 has support for generic USB storage devices out of the box, so loading the driver into the computer shouldn't be too difficult.

Local Area Connection Status and Properties

Once your network drivers are loaded, take note of the MAC addresses each of the adapters have; in a command prompt, you can type ipconfig /all | more to see detailed information for them, and press the space bar to advance to the next page. The interface which connects to your isolated network is the one that should be configured. Before you do, though, it might be a good idea to rename it to something contextual, like "Internal". The other one should also be renamed, maybe call it something like "External". These names will better help you differentiate which interface goes where.

TCP/IP properties for network interface

On the "internal" interface (the one that goes to your isolated network or VLAN), set a static IP address, and match the default gateway and preferred DNS server with it. You can make up some Class C (starting in 192.168) internal IP address here; 192.168.10.2 should be fine. A subnet mask will be generated for you automatically, which should be 255.255.255.0 for all Class C IPs. That's all you'll need to set up here; the "external" interface can just use DHCP entirely.

Installing the NetBEUI protocol

If you plan to connect MS-DOS clients to the server, TCP/IP is a valid option, but the stack which comes with Microsoft Network Client 3.0 is going to take a large bite out of your system's conventional memory, which can be problematic when trying to run certain programs. This is especially the case if you are using the full redirector with it. Therefore, you may wish to install the NetBEUI protocol on the internal network interface. This protocol is very stupid and inefficient, but it works, it's lightweight, and it requires no configuration on the server. If you install this protocol, disable it on the external interface because it's useless there.

Domain Configuration

Active Directrory Installation Wizard welcome dialog

Okay, now we are ready to promote this server to a domain controller. In the Run dialog from the Start menu, type dcpromo and press the enter key. The Active Directory Installation Wizard will pop up. On the Domain Controller Type page, make sure Domain controller for a new domain is selected. When you name the domain, you'll have to use the full DNS name for it. If you are configuring this domain for an isolated network, all you have to do is type the domain's name followed by a dot (.). That trailing dot is important. After clicking Next, you may go through a long delay; the wizard is trying to resolve the DNS name, but can't. That's fine, because we will install a new DNS server through this wizard.

The domain's NetBIOS name should match the prefix of the full DNS name to avoid confusion. Windows 9x, NT 4.0 and earlier will use this for connecting with the domain, while Windows 2000 and later will use the DNS name for this task. For example, if the full DNS name was something like storm., the NetBIOS name should be STORM.

Active Directory Database and Log Locations

If you want, you can store the Active Directory database and log on separate hard disks; the wizard suggests doing so to maximize performance and recoverability. Even so, you may also prefer to store them at the default paths where Windows 2000 resides if you want to maximize performance on the server's secondary hard disk where all your shared data goes. You can do the same with the Sysvol directory, but I opted to put all three in their default paths.

Unless the DNS name was already resolved, you'll see a dialog that says the DNS server which handles the name you specified could not be contacted. As planned, we will now select Yes, install and configure DNS on this computer to have the wizard create a DNS zone for our new domain. You can review these settings in the DNS management console under Administrative Tools later to ensure they are accurate, but with the static IP address we defined before, it should already be all set before you even log on to the new domain.

Active Directory Permissions

On an isolated network such as a home VLAN, setting more compatible default permissions for users and group objects should be fine, since it could grant you more flexibility in working with earlier server operating systems. However, you may prefer to use permissions compatible only with servers running Windows 2000 and later. I just picked the first option.

Windows 2000 Server logon dialog with STORM domain listed

That's it for the baseline domain controller configuration. Now, when you log on, you should see your new domain listed when you click the rightmost button to reveal extra options. There's still those other services we have to set up, though.

Creating a DHCP Zone

Selecting the DHCP zone type

If you haven't already, install the DHCP component for Windows 2000. This will be used for dynamically assigning IP addresses to all the clients in your isolated network, if you are to have one set up. After loading the DHCP management console under Administrative Tools, right click on the server in the left side bar and select New Scope. Give this scope a name, and a description if applicable.

Defining IP address range

You'll need to define a range of IP addresses this scope can lease to clients. Going by the convention of the static IP address we assigned to the domain controller, a range from 192.168.10.10 to 192.168.10.99 should be more than enough for any home network. Make sure the subnet mask matches that which you assigned your IP address to, which would be 255.255.255.0 in the case of addresses starting in 192.168.

A lease duration of 8 days should be reasonable, but you may wish to shorten it if desired. Whatever the case, on the next step, you'll be asked to configure options for the DHCP scope; select Yes. For both the router and DNS server, you should add the static IP address of your internal network interface, as that will be used for DNS resolution and routing downstream Internet data to your clients. I wouldn't bother creating a WINS server.

You should now see the new scope in the server now, and your clients should be ready to lease IP addresses from the server.

Setting Up Routing

If you do not want to provide internet access to your clients, you can skip this section, but you'll be missing out on a very very cool opportunity to get them connected to my excellent and perfect website. Open the Routing and Remote Access management console in the Administrative Tools group. Right click on the server and select Configure and Enable Routing and Remote Access.

Selecting an internet connection in the Routing and Remote Access Setup Wizard

Select the Internet Connection option, and make sure you select your "external" network interface as the one to be routed. That's really all that needs to be done here; once you've got that set, your clients should be able to access the internet, all while any machines outside the VLAN will not be able to access those inside it.

Creating a New User

List of users and groups in the domain

On a Windows 2000 domain controller, users are not managed via the standard Users control panel. Instead, they are managed through a management console called Active Directory Users and Computers. That, of course, is also located in the Administrative Tools group. Once you've opened that, navigate to the Users group, and you'll see the list of all the users and groups registered to this system. Pretty much all of them are automatically generated on a fresh domain.

Under the Action menu, hover to the New group and select User. Give the user a name and a password. You may wish to set the password to never expire, assuming you're using an isolated network only you have access to. After creating the user, double click it in the list so some additional properties can be set. If you plan to have a logon script execute every time the user logs on, go to the Profile tab and type the name of that logon script; in my case, it will be called admlogon.bat. This script does not exist yet, but we will create it soon. Roaming profiles will not be covered in this guide.

If you want this new user to be an administrator for the domain, select the Member Of tab and add this user to the Domain Admins group. You may want to set this user's primary group to Domain Admins if you are going to work with other clients running non-Windows operating systems. By the way, Windows 2000 has a file sharing service for classic Macintosh computers in the optional components menu if you wish to use that; you'll just need to use TCP/IP over Ethernet to share resources with them.

Creating a Logon Script

Logon scripts are stored where you defined the path for the Sysvol directory when you created the domain. By default, this is C:\WINNT\SYSVOL\sysvol\storm\scripts. Navigate to this path, and make sure file extensions are being shown in Folder Options from the Tools drop down menu. Create a new text document matching the filename you defined for the user you created, which would be admlogon.bat in my case. This is just a normal batch script that can be used to run certain commands to initialize some things for a client session. We'll just create a simple script that synchronizes the client's clock to the server's and maps a few network drives to file shares we will create, but you do have more flexibility beyond that.

NET TIME \\HORNET /SET /Y
NET USE Y: \\HORNET\GARBAGES
NET USE X: \\HORNET\CLIENTS

Of course, you'll want to replace HORNET with the name you gave to the server (not the domain's name), and the names of the shares you intend to create. Do not map a network drive to Z:, as that is automatically mapped temporarily to execute the logon script.

Since MS-DOS is quite limited in its batch scripting capabilities compared to Windows NT's native command prompt, you should test it on all the platforms you intend to use it with if you will be connecting MS-DOS and/or Windows 9x clients to the server.

Sharing Files

Okay, now we can get to the part where we actually share the files. This should be as straightforward as it was described at the top, but there is a little bit of extra stuff that ought to be explained here. Either before or after populating several directories with the files you intend to share with the old computers in your network, right click on a directory and select Sharing for each of them.

Permissions for games share: Domain users can only read files

Give the share a name, or go with the default one based on the directory's name. We ought to secure these shares a bit, so click on the Permissions button and remove the Everyone object. Now, add the Domain Admins and Domain Users group objects to the share. Domain Users should only have read permissions, whereas Domain Admins could have full control. Click OK on both dialogs, and the directory will be shared with the network.

Assuming you're not encountering connectivity problems from your clients to your server, you should now have a fully operational network of old computers connected to an Active Directory domain controller! Check out these other guides to get some clients connected to your new domain...

One More Thing...

Windows 2000 LAN Manager Authentication Level set to use NTLMv2 if negotiated

By default, Windows 2000 Server will only authenticate using either LM or NTLM, but it introduces support for NTLMv2 logons, which is still in use today. If you want some of your computers to establish more secure connections, you may wish to run secpol.msc and go to Local Policies > Security Options. There, you can find an option called LAN Manager Authentication Level.

Set this to Send LM & NTLM - use NTLMv2 session security if negotiated if you want all your much older machines to continue connecting, but still want added security when newer versions of Windows connect to the server. Windows 2000 and later are capable of logging onto a domain using NTLMv2 out of the box, and Windows NT 4.0 might have it as well in a later service pack. For Windows 9x, NTLMv2 logon support can be added by installing the DSCLIENT package.