Synology Inc. Online Community Forum

[butwelld]

Has anyone tried ADS with Server 2008 R2?

I'm trying to set this up with my DS207+ and have got the computer object correctly registered, but am struggling to access the shares with Windows returning unknown network errors (probably caused by protocol differences in the new RPC calls).

Any thoughts welcome as this is driving me nuts!

butwelld

[Joshuaw]

Hello @butwelld,

Please contact online support for assistance with this. The link to do so is in my signature.

Cheers,
Joshua

[nitrox21]

Hi butwelld, Hi Joshua

I've got the same problem. Any Solution ont that ?

[butwelld]

Hi nitrox21,

I'm still working with support on this one. If it helps, here is what I have done to allow the domain join:

The following changes to the default domain controller policy are needed:

Local Policies\Security Options\Domain Controller: LDAP Server Signing Requirements - None
Local Policies\Security Options\Domain Controller: Refuse machine account password changes - disabled
Local Policies\Security Options\Domain Member: Digitally encrypt or sign secure channel data (always) - disabled
Local Policies\Security Options\Domain Member: Require strong (Windows 200 or later) session key - disabed
Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always) - disabled
Local Policies\Security Options\Microsoft Network Server:Digitally sign communications (if client agrees) - enabled
Local Policies\Security Options\Network Security:LAN manager authentication level - Send LM and NTLM responses
Local Policies\Security Options\Network Security:Minimum session security for NTLM SSP based clients - NTLMv2 and encryption disabled
Local Policies\Security Options\Network Security:Minimum session security for NTLM SSP based servers - NTLMv2 and encryption disabled
Local Policies\Security Options\Network Security\Restrict NTLM: Incoming NTLM traffic - allow all
Local Policies\Security Options\Network Security\Restrict NTLM: NTLM authentication in this domain - disable
Local Policies\Security Options\System\Net Logon: Allow cryptography algorithms compatible with NT4 - enabled

To domain join:

Pre-create the computer object in the desired OU
Ensure advanced options are visible in the ADUC console
Change the security settings for the computer object - grant SELF full control
Under delegation grant delegation for all services
Join the domain as per your Server 2008 guide

[nitrox21]

Thanks for the settings, i tried those but no luck so far. The strange thing is i can jont the DS409slim to the 2008 R2 Domain without any problem and even without your "join tho the Domain" instructions (i don't have to manualy create a computer account for the ds). I can also see the AD Useraccounts in DS webgui and set the user privileges. Just access the DS shares gives me an network error (from clients and from the Domain Controller itself). You have already problem to join the DS to the Domain ? strange. I have the DS409slim and you have the DS207+ but i mean, DS 2.2-0942 should be the same Software on both ds.

[jonesg1979]

Hi,

I have just recently purchased a DS209+II. I have successfully attached the DS209+II to my local domain - I can see domain users and groups from the UI; also if I have checked connectivity to the AD via the terminal (kinit). I am using Windows 2008 R2 as the domain controller. When I try to map a drive on my machine which is attached to the domain (windows 7 x64) I get the following error:

net use \\nnn.nnn.nnn.nnn\domainshares
System error 233 has occurred.

No process is on the other end of the pipe.

Any help would be appreciated

Regards,
Gareth

[Joshuaw]

Hello Gareth,

Is this limited to a single computer or can no other computers on the domain map a share? Is this limited to Windows 7 or does it apply to other versions of Windows? From Windows 7 can you map a drive using a local account on the Disk Station?

[ktmdms]

I'm having the same problem. DS209+II joined the domain just fine, I can map drives as a local DS user, but never as a domain user. Tells me, when I try to map a drive, "No process is on the other end of the pipe".

[dewart]

I'm also getting the same error.

I've got a DS508 with the latest firmware. It worked perfectly in my lab (connecting to Win2008 Standard ADS). The only thing I had to do was enable "Allow cryptography algorithms compatible with NT4".

Unfortunately the live system is a Win2008 R2 ADS.

I originally tried duplicating the setup of my lab, and the DS happily joined the domain (automatically creating the computer object) and it even syncronizes the time with the domain time server (which is the Win2008 R2 PDC). Blissfully ignorant of any problems I created a share applying user rights using the domain users and groups that the DS found (which all appear correctly). But as soon as I try and browse to or create mapped drives to the share, from either my DC's or my PC's (Win2008 R2 and WinXP SP3 respectively), I get the "No process is on the other end of the pipe" error.

I have tried the instructions in this thread, but I still get the same error.

Also. just like the previous poster I can create mapped drives to the share if I use a local DS user.

[interos]

Has anyone tried ADS with Server 2008 R2?
I'm trying to set this up with my DS207+ and have got the computer object correctly registered, but am struggling to access the shares with Windows returning unknown network errors (probably caused by protocol differences in the new RPC calls).

Having the same problems.

My DS509+ server has the following characteristics:

Code: Select all

Server Name: nas01
IP Address: 10.100.0.30
IP Status: Manual
System Status: System is ready.
MAC address: 00:11:32:05:87:DD
Version: 2.2-0959
Model: DS509+
Serial no: 9BFDN00264

Here is what I have tried from a test domain.

Steps:
1. Create a test domain.
2. Joined the Synology DS509+ to the domain.

Code: Select all

Win/Mac OS
Windows File Service
Enable Windows file service: yes
WINS server: none
Optimize CIFS database operations: yes
Enable Local Master Browser: yes
Enable CIFS Recycle Bin: yes
Domain/Workgroup
Domain: IMCORP
DNS Server: 10.100.0.10
Advanced domain options (Required only under specific network environment)
DC IP:
Domain NetBIOS name:
Domain FQDN (DNS name):


3. Create a GPO "Synology Domain Authentication"

Code: Select all

Group Policy Management
Synology Domain Authentication

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/Security Options

Domain controller: LDAP server signing requirements None
Domain controller: Refuse machine account password changes Disabled

Domain member: Digitally sign secure channel data (when possible) Disabled
Domain member: Require strong (Windows 2000 or later) session key Disabled

Microsoft network server: Digitally sign communications (always) Disabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled

Network security: LAN Manager authentication level Send LM & NTLM responses
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Require NTLMv2 session security Disabled
Require 128-bit encryption Disabled
 
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled
Require NTLMv2 session security Disabled
Require 128-bit encryption Disabled

Other
Policy Setting
Network security: Restrict NTLM: Incoming NTLM traffic Allow all
Network security: Restrict NTLM: NTLM authentication in this domain Disable


I couldn't find the "Allow cryptography algorithms compatible with NT4" setting in the Win2008 R2 GPO Template.

4. Disabled the local firewall on the DC and rebooted the DC.

Results:

1. From the DC, I did the following

Code: Select all

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Users\Administrator>net use * /d
There are no entries in the list.

C:\Users\Administrator>net use \\nas01\software
System error 233 has occurred.
No process is on the other end of the pipe.


I also tried this command from a Windows 7 x64 Client within the domain and get the same message.

2. Tried to connect/map from the Synology Assistant
From the Synology Assistant, I searched the server and tried to connect without any error.
From the Synology Assistant, I tried to map a network drive and was presented with an authentication failed message (ErrorCode:233) for both the local DS admin account, a domain account and a local DS user account I created.

I also connected successfully via FTP from the DC. Not a surprise, it works great.

Code: Select all

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>ftp
ftp> open 10.100.0.30
Connected to 10.100.0.30.
220 nas01 FTP server ready.
User (10.100.0.30:(none)): admin
331 Password required for admin.
Password:
230 User admin logged in.
ftp> ls
200 PORT command successful.
150 Opening BINARY mode data connection for 'file list'.
home
surveillance
software
NetBackup
homes
226 Transfer complete.
ftp: 94 bytes received in 0.00Seconds 94000.00Kbytes/sec.
ftp>

So far, this is a major fail. Any further suggestions?

[Opusretis]

This is a bug!

You can solve it with installation of Firmware 2.3 Beta
http://www.synology.com/enu/support/beta/index.php

Regards
Opusretis

[stevewyvill]

Despite applying the latest firmware to my DS409+, I'm still unable to access the shares with a domain account. I can use a local account and get access no problem . I have set the correct permissions for each folder share but still not able to authenticate to the shares with a windows domain account (2008 R2). HELP !

[Opusretis]

Hi Stevewyvill.

Did you realy load the beta firmware 2.3 ?
All official releases are not able to connect to a 2008 R2 Domain.

[stevewyvill]

Hi Opusretis. Yes I applied Disk Manager 2.3 successfully but I'm still unable to access the shares on the DS409+ from any Windows Server 2008 R2 Standard Active Directory Domain account. When I attempt to access a share on the NAS from a client/server I am prompted to enter Windows Security Credentials even though the domain account I am logged in with has the correct permissions to the share. If however I enter credentials of a local account on the NAS that has permissions to the share then I am granted access !!!!!! I'm hoping this issued can be resolved as it's causing me a huge headache at present !!!!!

[danmiles]

Another tired user here.

Seemingly tried everything - excepting the upgrade to 2.3 beta (although will try if anyone can confirm it fixes the issue)

Cannot map from either Windows 7 (64bit) or Windows 2008 R2.

Optimistic of a resolution soon - I don't look forward to acquiring and configuring another NAS device.

Cheers,
Dan.