How to join the Synology DiskStation into an ADS Domain

From SynologyWiki
Jump to: navigation, search
Ads-overview.png

Overview

This article will guide the Administrator how to joining the Synology DiskStation into a ADS Domain Controller. A benefit of using the DiskStation with an ADS Controller is from an ADS Controller, an administrator can set users/group accounts from one computer. All resources which are joining the ADS Controller, such as multiple DiskStations, can all use the same ADS Privileges for authentication. Therefore, ADS Users can use the same credential to access many DiskStations on the same network, without the need of remembering multiple credentials for accessing each individual DiskStation, all that is needed is one credential.

This article assumes that the Administrator is veteran experienced network administrator with a firm grasp of Domain, File Sharing and Networking principles.

Notes:

  • This article was created with Firmware DSM2.3-1118, and Windows 2008 Server
  • The DiskStation was tested to support up to 100,000 ADS Users, and 100,000 ADS Group Accounts.
  • Want to see the Webinar? Please look security cameras for business.



How to join the DiskStation to the ADS Controller

Step 1: Logging in

  • Login to the Synology DiskStation Manager with administrative credentials.
Dsm22logon.png

Step 2:

  • Go to Win/Mac OS
  • Select the Domain Radio Button
  • Enter the Domain Name of the Domain Controller
    • It's recommended to use the FQDN or the NetBIOS name of the Domain Controller. Please click [[How_to_join_the_Synology_DiskStation_into_an_ADS_Domain#Usage_security cameras for business] for further details.
  • Enter the DNS Server IP Address
    • It's recommended to use the DNS Services of the Domain Controller, as such, the IP address of the Domain Controller should be entered in this field.
  • Click Ok
ADS-join.01.png

Step 3:

  • Enter an Administrative username who is a member of the Domain Administrators Group
  • Enter the password for the DomainAdministrator
ADS-join.02.png

Step 4:

The DiskStation will then register itself with the dvr security systems, and start caching the user/group accounts from the Domain Controller. This caching of data can require a bit of time, as many as thirty minutes or more for large domains.

Step 5:

After ADS User/Group accounts have been assigned within the DiskStation, ADS Users can then begin using the DiskStation to store and access their data. To proceed with the management of ADS Privileges, please click here.


How to manage the shares of the DiskStation with ADS Privileges

Overview: This section will cover how to manage the shares on the DiskStation with ADS User/Group Permissions.

Step 1: Is the DiskStation joined with the Domain?

  • Please make sure that the DiskStation has been successfully joined to the ADS Controller before attempting to adjust permissions for ADS User/Group Accounts.

Step 2: Logging in

  • Login to the Synology DiskStation Manager with administrative credentials.
Dsm22logon.png

Step 3:

  • After joining an ADS Domain and the User/group accounts have been cached - they will be presented in the user list on the DiskStation. To access the Domain Users, please proceed to Privileges -> Users, and press the drop down list to select Domain Users.
ADS-join.03.png

Step 4:

Here's how to setup Domain User Privileges at the share level on the DiskStation

  • Select Shared Folder
  • Select a share where to add Domain User Privileges
  • Click on Edit
  • Select the Domain Users from the drop down list, and proceed with permissions settings.
ADS-join.04.png

Step 5:

  • Domain Groups can be selected from the drop down list as well
ADS-join.05.png

Step 6:


How to access the Synology DiskStation shared folders with ADS Privileges

Overview: a quick guide on how to access the Synology DiskStation shared folders using ADS Privileges. Please be sure that the ....

  • The DiskStation has been joined to the ADS Controller, as outlined here.
  • The DiskStation shares have been set with the proper ADS Permissions, as outlined here.
  • Please be sure to read the How to map a network drive article for additional techniques on mapping a drive to a computer.


Step 1:

  • Begin the map drive wizard
    • Windows users may elect to use Windows Explorer to start the wizard under "Tools -> Map Network Drive", or use the Synology Assistant
    • Mac OS 10.5/10.6 may proceed to "Go -> Connect to Server" from the Finder Menu


ADS-Access-Mac-afp-01.png ADS-Access-Mac-smb-01.png ADS-access-win2k-01.png ADS-access-xp-01.png ADS-access-win7-01.png ADS-access-fedora10-01.png
Mac OS 10.6, via AFP Mac OS 10.6, via SMB Windows 2000 Windows XP Windows 7 Fedora10


Note for Windows 7 Clients: if the DiskStation has successfully joined the ADS Domain, but the DiskStation cannot be accessed through a Windows 7 Client via the DiskStation's IP Address or NetBIOS name, even if the following settings have been attempted...

  • Have the Windows 7 terminal set for the same NTP server as the DiskStation
  • Make sure that the Windows 7 Firewall allows File Sharing, and or not any other security software is interfering with file sharing services
  • Accessing the share from a Windows Vista, Windows XP, Windows 2000 or another computer displays no error

...then please try setting the LmCompatibilityLevel to "2" as outlined here.


Step 2:

  • Enter the Windows ADS Credentials
  • Usernames can be entered as the following
    • DomainName\Username


ADS-Access-Mac-afp-02.png ADS-access-win2k-02.png ADS-access-xp-02.png ADS-access-win7-02.png ADS-access-fedora10-02.png
Mac OS 10.6 Windows 2000 Windows XP Windows 7 Fedora10


Step 3:

  • If necessary, open the newly mapped folder


ADS-access-xp-03.png ADS-access-win7-03.png
Windows XP Windows 7


Step 4:

  • The folder has been mapped successfully


ADS-Access-Mac-afp-03.png ADS-access-win2k-03.png ADS-access-xp-04.png ADS-access-win7-04.png ADS-access-fedora10-03.png
Mac OS 10.6 Windows 2000 Windows XP Windows 7 Fedora10


How to access the Synology DiskStation Manager Services with ADS Privileges

Overview: a quick guide on how to access the Synology DiskStation services using ADS Privileges. These services include the File Station, FTP Services, and the DiskStation Manager User Management. Please be sure that the ....

  • The DiskStation has been joined to the ADS Controller, as outlined here.
  • The DiskStation shares have been set with the proper ADS Permissions, as outlined here.
  • That any associated services have been enabled, as outlined here.
  • Please be sure to read the How to access the Synology DiskStation shared folders with ADS Privileges section, as this section uses a similar principle for accessing the DiskStation Manager Services.


Accessing the DiskStation Manager User Management

  • By allowing users to log into the DiskStation, they will be presented with the ability of determine what how much space that user is using, and if any quota is being placed on their account.


ADS-access-dsm01.png ADS-access-dsm02.png
Proceed with ADS Credential Login Observed the current space usage on the account.


Accessing the File Station

  • If the File Station service has been configured on a separate port, ADS users from remote locations can still access their data using ADS Privileges for authentication.


ADS-access-fs01.png ADS-access-fs02.png
Proceed with ADS Credential Login The File Station in use, which can be conducted remotely,
and still provide ADS Authentication with the DiskStation


Accessing the FTP Service

  • If the FTP service has been enabled , ADS users from remote locations can still access their data using ADS Privileges for authentication.


ADS-access-ftp-01.png
A sample window, from an FTP client,
using ADS Privileges to gain access to the DiskStation.


How to use Sub-folder Permissions

Overview: Sub-folder permissions are best used when finer permission control is needed at a sub-folder level, such as multiple departments of a division, such as MRI, Ultrasound, and Cardiology sub-folders can be part of a Radiology share. Within each of these sub-folders, groups that belong to an MRI group can have read/write access data only within the MRI sub-folder; but can only read within data within the Cardiology or Ultrasound folders.

Here is an example:

  • Radiology (Top Share, all groups have RW access)
    • Cardiology (sub folder - only Cardiology Group has RW access - all other users have RO access or denied access)
    • MRI (sub folder - only MRI Group has RW access, all other users have RO access or denied access)
    • Ultrasound (sub folder - only Ultrasound Group has RW access, all other users have RO access or denied access)

Notes

  • This example will show how to adjust Sub-folder permissions using ADS Permissions, please make sure that the DiskStation has been joined with the ADS Controller before proceeding.
  • Sub-folder permissions can be used with "Local User/Groups Accounts" of the Synology DiskStation, please look here to create Local User/Group Accounts.

Step 1: Is the DiskStation joined with the Domain?

If using ADS Permissions, please make sure that the DiskStation has been joined to the ADS Controller.

Step 2: Logging in

  • Login to the Synology DiskStation Manager with administrative credentials.
Dsm22logon.png

Step 3:

  • Enable the File Station Service on the DiskStation
  • Go to File Sharing -> File Station
  • Enable the File Station and Click Ok
  • Enter the File Station service by clicking on the link in the upper right hand corner
EnableFileStation.png

Step 4:

  • Select a sub-folder that requires different sub-level permissions than at the root share level
  • Click on Properties
ADS-subfolder.01.png

Step 5:

  • The ADS owner of a sub-folder can be set from the owner's drop down list.
ADS-subfolder.02.png

Step 6:

  • The ADS Group of a sub-folder can be set from a the user group's drop down list.
ADS-subfolder.03.png

Step 7:

  • Here, an ADS User and ADS Group have been assigned to the "subfolder1" underneath the "public" share.
ADS-subfolder.04.png

Step 8:

  • Please make sure that the permissions have been adjusted for this specific folder for these specific users.
  • Press Ok to confirm these changes.
ADS-subfolder.05.png


How to Enable ADS User Home

Overview: ADS User Home is a function where the DiskStation will automatically create private home folders for each ADS User that signs into the DiskStation. This eliminates the chore of the Administrator of manually creating private folders for each user and assigning individual permissions for each share. Private home folders can only be accessed by the owner of the home folder, and the Administrator of the DiskStation.

Step 1: Is the DiskStation joined with the Domain?

  • Please make sure that the DiskStation has been successfully joined to the ADS Controller before activating the ADS User Home Service.

Step 2: Logging in

  • Login to the Synology DiskStation Manager with administrative credentials.
Dsm22logon.png

Step 2:

  • Go to Privileges -> User
  • Click on User Home
ADS-userHome.01.png

Step 3:

  • Enable User Home Service and Include Domain Users
  • Click on Ok
ADS-userHome.02.png

Step 4: How to view private data from the User Perspective

  • Have the ADS User Browse or map a drive connection to the \\DiskStation\home
  • When asked for credentials, he or she will need to enter their ADS Credentials, and they will have access to their private data.
  • Please refer to the How to access the Synology DiskStation shared folders with ADS Privileges for further information on how to access the "User Home" Folder.
ADS-userHome.04.png


How to Migrate data to the Synology DiskStation Users' Home Folders

Overview: This will guide the Administrator into basic management of using ADS User Home Accounts, illustrate how to migrate existing user data to the DiskStation.

Step 1: Is the ADS User Home Service activated?

  • Please make sure that the ADS User Home Service has been enabled before attempting to migrate private user data to each user home folder on the DiskStation.

Migrating User Data, Method 1

  • Before a private home folder is available on the DiskStation, the ADS user must sign into the DiskStation and access his or her home folder before proceeding. Once the ADS user accesses the DiskStation, the DiskStation will create a home folder for this user.
  • Access the user homes folder on the DiskStation, using the administrative account of the DiskStation.
  • Browse to \\SynologyDiskStation\homes\@DomainName\FolderX\ADSUser-YYYY
    • Notes
      • FolderX is an arbitrary number which is generated by the Synology DiskStation
      • The YYYY within the user name is a arbitrary assigned by the Domain Controller, to prevent accidental viewing of old data. In the scenario if "janedoe" was deleted, and re-created, the second "janedoe" will receive a different ID number, to prevent access to the old "janedoe" folder.
  • Open the existing storage system where each user has been storing their data
  • Copy or Move the data from the existing storage system to the DiskStation
ADS-userHome.03.png

Migrating User Data, Method 2

  • Have each user sign into the DiskStation and their existing storage system and copy the data from their old location to the DiskStation under their "home" folder.
  • Notes
    • Depending on how many users there are, this procedure can incur a lot network traffic within the network
    • Using an ADS Batch Script to automatically perform this copy may be a better suggestion.


Greater access control with Windows ACL Support

If finer permission access is required, where multiple users need different access rights to specific files, please refer to the How to use Windows ACL with the Synology DiskStation article.


Tips and suggestions about the DiskStation with the Domain Environment

DNS Server

It's strongly recommended to use the ADS Controller with the DNS Service active, and point all DNS clients which are joining the ADS Server (computers, including the DiskStation) to use the ADS Server to DNS Resolution Service.

NTP Synchronization

Please use the same NTP server on the entire ADS Network. The DiskStation, all Domain Clients, and ADS server should all be using the same NTP server and exactly synchronized. Most common Domain errors (ie, accessing shares via DNS name, access permission errors) can be resolved by having properly synchronized time server. The time server can be a NTP server outside the network, or the NTP service of the ADS Domain Controller. Which ever server is used - it must be consistent throughout the network.

Refresh the DiskStation cache of ADS Users/Groups

Typically, the DiskStation's cache permissions which are older than ten minutes will refresh when a new ADS user attempts to sign into the DiskStation. A manual refreshing of the ADS Permissions is to view the ADS Users/Groups from the privileges menu, when adjusting the permissions of a share, as out lined here.

Behavior of the DiskStation during a communication error/failure with the ADS Controller

If for a reason that the DiskStation loses communication contact with the ADS Controller, the existing permission set which has been cached into the DiskStation will remain in use until the DiskStation reboots, or regains communication with the ADS Controller.

Usage of Domain Names

Please use one name/IP of the ADS Domain to join the DiskStation to the ADS Controller. Here are three examples of names which may be used to join the DiskStation to the Domain

  • NetBIOS Name of Domain: SYNOLOGY-WIN2K8
  • FQDN of Domain: SYNOLOGY-WIN2K8.COM
  • IP Address of Domain Controller: 192.168.0.100

WINS Server

Required for joining ADS Domains in different Subnets (Q11 of the Domain FAQ), the WINS Server will need to be set with the location of the WINS Server in the Domain Network. This field is located under the File Sharing --> Win/Mac OS of the DiskStation Manager.

ADS-wins.png


ADS Domain FAQ

The ADS Domain FAQ contains further information, such as common resolutions to joining the DiskStation with the Domain Controller, or how to join Windows 2008 Domains, or joining a Domain on a separate subnet. When this article was written, the ADS Domain FAQ has the following common questions. For further information about this document, please look here.


  1. How do I join Windows domain?
  2. Why can’t I join Windows domain even with KDC IP specified?
  3. What should I do when I receive the message “Invalid domain name Please check the DNS setting of the domain server and use complete domain name to join”?
  4. What should I do when I receive the message “Cannot find the domain workgroup Please enter a correct KDC IP”?
  5. What should I do when I receive the message “account expires”?
  6. What should I do when I receive the message “this account has been disabled”?
  7. What should I do when I receive the message “this account cannot logon at present”?
  8. What should I do when I receive the message “cannot logon to the workstation”?
  9. What should I do when I receive the message “Permission denied Please use domain Admins to join”?
  10. What should I do when I cannot access shared folders as a domain user even with the correct password?
  11. How do I join domain in different subnets?
  12. What should I do when I receive the error message “Failed to connect to the server The client may not to be connected with the server or the client does not pass the authentication (Error code: 1240) when using domain user map to drive by assistant”?
  13. Why can’t some domain users log in or map drive while others can?
  14. Why can’t any domain users within my domain log in or map drive?
  15. Why can’t some domain users access the Synology NAS Server after privileges are set?
  16. How do I join domain in a Windows server 2008 domain controller?


Have additional questions?

Please contact Online Support for further assistance.

Personal tools
Community Resources