Ditching Windows Active Directory for Synology Active Directory

All questions regarding Synology's Directory Server package can go here
lozman
I'm New!
I'm New!
Posts: 7
Joined: Fri May 13, 2011 5:58 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby lozman » Tue Sep 12, 2017 3:10 am

Sieberta,

Thanks for all the excellent posts regarding this. I too have been playing with the SAD service on my 1815+ and I'm a bit on the fence at the moment. I've looked after AD environments at work for a long time, and run a small one at home just for my own whimsical needs. I've set up a new domain on SAD and while it is working ok, it does seem to be a bit slow in a few areas; one you pointed out - managing the GPOs via RSAT, (though I still find it a bit slow on Win10) but also random other places that just "feel" slower that in should be - logging in and out, creating profiles, running various commands like net time, opening up SMB shares, setting permissions on folders etc. Sometimes its a little quicker than others, but overall always slower that I expect compared to real Windows, regardless of wired or wireless. Thought I'd mention this to see if you had any further comments or experience of that.

Another curiosity that I found happened was in the initial configuration. On domain creation it forced the local DNS server address setting to whatever IP address my 4th physical NIC has on the Synology. This NIC wasn't even plugged in so didn't even have a real IP but it still tried to use it anyway. I didn't like this behavior so in the end I switched my configuration by moving my main LAN cable from NIC1 over to NIC4, and adjust IPs accordingly so that when DNS got set to the IP of NIC4 as before at least it had the real access IP of the unit and worked as expected. Did you notice an behavior similar to that?

Best,
Lozman.
sieberta
Sharp
Sharp
Posts: 194
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby sieberta » Tue Sep 12, 2017 7:14 pm

Sorry lozman, I'm not much help. I'm using a 916+ with NIC Teaming, and as such only have one IP address... so it worked as anticipated. Some things might be a bit slower, like setting up a new profile when a domain user logs into a domain PC for the first time, I can't easily A/B test to decide for certain. The speeds we're experiencing, however, I'm happy with as opposed to MSFT based licensing. My biggest concern, in a business environment, is DSM updates. With a Windows Server you can do a bare bones backup and *hopefully* be able to get back to where you were before a Windows Update. With the NAS solution, going back to an older DSM version could prove tricky and unsupported.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Public Service Announcement: Please do not rely on RAID as "backup"... at minimum buy a cheap USB 3.0 HDD and use Hyper Backup...
lozman
I'm New!
I'm New!
Posts: 7
Joined: Fri May 13, 2011 5:58 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby lozman » Tue Sep 12, 2017 10:40 pm

It's cool, no worries. I'm continuing to test.

Another thing I am trying to figure out at the moment is group policy based folder redirection. I've always struggled to make that work if the target is anything other than a real Windows box with the correct flavor of indexing available. At the very least getting the yellow banner that the indexing isn't available so may be slower that expected. I have enabled Domain-user based home folder set up and have added registry based folder assignment to that. Seems to be working well enough. A quirk I have found is, the folders I have told windows/the registry to point to on the \\nas\home (Documents, Videos, etc) don't get created automatically on initial user login, and since it is impossible to know the real folder that will be used for each use because of the random number that gets appended (\homes\@dh-domain\username-1104 for example) it is impossible to pre-stage the folders. So my (totally inefficient process) so far has been;

1. Create the user.
2. Log in as that user to a domain machine - this creates the user folder with the random number at the end in the \homes\DH-domain folder on the NAS.
3. Log the user off.
4. Go into the NAS and create the various user sub-folders (Documents, Video, Pictures etc) manually.
5. Delete the local user profile from the machine I first logged the user onto (not strictly necessary, but it just fixes/rectifies a couple of quick access locations in explorer that fail to create properly if the folders don't exist).
6. Log back in as the user and check all is good.

I feel sure there must be a better way, but since I have only 5 users in a home setting I haven't bothered so far to keep plugging away at it.

Once you get to 6 though it does seem to all be pretty solid in function.

With a Windows Server you can do a bare bones backup and *hopefully* be able to get back to where you were before a Windows Update. With the NAS solution, going back to an older DSM version could prove tricky and unsupported.


Yeah, I can tell you for sure (and you probably already know) that this is not supported or even possible out the box via the usual GUI, but it can be done with a little jiggery-pokery and I've don't it at least once on my other one (ds1511+). Definitely not supported though, and I'm not recommending it :)
Last edited by lozman on Fri Oct 06, 2017 2:13 pm, edited 2 times in total.
sieberta
Sharp
Sharp
Posts: 194
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby sieberta » Fri Oct 06, 2017 1:15 pm

Just an update for those interested in this "standing the test of time". After 5 months, I'm still happy with my decision to ditch windows and go to synology for my AD Server.

My fears continue to be:
The possibility of Synology abandoning this package
The possibility of a DSM or AD Server package update breaking my AD and no good roll-back options supported

These tend to not keep me up at night, but I am nervous ever update.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Public Service Announcement: Please do not rely on RAID as "backup"... at minimum buy a cheap USB 3.0 HDD and use Hyper Backup...
lozman
I'm New!
I'm New!
Posts: 7
Joined: Fri May 13, 2011 5:58 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby lozman » Fri Oct 06, 2017 4:19 pm

I too have been really happy with my decision to ditch my Windows Domain Controller VM. As said in my earlier post, I did have an initial feeling that it seemed a lot slower to log on and stuff, but actually, since the dust has settled on the setup I think it might actually be quicker in general.

I dumped the usual GPO folder redirection method in favor of registry changes (still pushed out by a GPO) to set up all the user folders. I enabled the DSM user home service (you have to make sure you do check the box to make that work for Domain users too) and then just push out the registry changes pointing user's home directories to \\nas\home\Documents, etc. Works perfectly and the performance is great.

With regards to your fears about updating, I would be surprised if a DSM update would cause that issue. This setup is really just layered on top of SAMBA, so I expect the underlying infrastructure would have to get pretty broken for it to affect things that way. And, if Synology decides to pull support for the package or deprecate it, then maybe standing up an additional windows server/VM adding it to the Synology domain and then promoting it as a DC might provide an easy way to migrate back to a true Windows setup?
sourceminer
I'm New!
I'm New!
Posts: 6
Joined: Tue Dec 17, 2013 5:45 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby sourceminer » Mon Oct 09, 2017 6:02 pm

Hey Guys thanks for the info your compiling.
I have confirmed from Synology Support however that you cannot do site to site replication with SAD.
So if you're intending to create a branch office you cannot build a secondary AD at that location.

I have been told to create a suggestion on this site:
https://www.synology.com/en-us/form/inquiry/feature

However because SAD is not listed under packages you have to select other.
TO completely ditch WAD you need a scalable SAD.
synal
I'm New!
I'm New!
Posts: 8
Joined: Sun Nov 26, 2017 7:31 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby synal » Mon Nov 27, 2017 11:09 pm

@sieberta Thank you for detailed updates. Not being able to backup up the AD is not good. Specially in production environment. Have you tried using Hyper backup to back it up?
sieberta
Sharp
Sharp
Posts: 194
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby sieberta » Tue Nov 28, 2017 2:16 pm

synal wrote:@sieberta Thank you for detailed updates. Not being able to backup up the AD is not good. Specially in production environment. Have you tried using Hyper backup to back it up?


Sorry for the confusion. You can back it up, but they aren't incremental backups, so if an issue occurs (say a corruption of some sort) and then that corruption is backed up before you catch it, then you don't have a good backup. What I did was setup 7 differently weekly backups for each day of the week, so I at least have 7 backups I could restore to. If I don't find the issue within a week, I'm still screwed.

I don't know if Group Policies are part of the backup, but you can easily save those backups using GPMC...

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Public Service Announcement: Please do not rely on RAID as "backup"... at minimum buy a cheap USB 3.0 HDD and use Hyper Backup...
synal
I'm New!
I'm New!
Posts: 8
Joined: Sun Nov 26, 2017 7:31 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby synal » Wed Nov 29, 2017 5:27 am

sieberta wrote:
synal wrote:@sieberta Thank you for detailed updates. Not being able to backup up the AD is not good. Specially in production environment. Have you tried using Hyper backup to back it up?


Sorry for the confusion. You can back it up, but they aren't incremental backups, so if an issue occurs (say a corruption of some sort) and then that corruption is backed up before you catch it, then you don't have a good backup. What I did was setup 7 differently weekly backups for each day of the week, so I at least have 7 backups I could restore to. If I don't find the issue within a week, I'm still screwed.

I don't know if Group Policies are part of the backup, but you can easily save those backups using GPMC...

sieberta


Ah that’s good to know. I’m in the process of testing and it looks like it’s possible to create sub domain now. I was able to create internal.mydomain.net today during testing
naver
I'm New!
I'm New!
Posts: 1
Joined: Thu Nov 30, 2017 5:17 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby naver » Fri Dec 01, 2017 9:46 am

We are looking into the viability of using a Synology NAS with AD to replace an ancient Windows domain controller.

I have a few questions that I hope someone who has done this already can please advise:

1. As it seems like you cannot add the Synology AD as a backup domain controller, only a primary, is there a straightforward method of transferring the ~40 accounts (including passwords) and OU structure from the old domain to the new one?

2. How easy is it to manage creating network shares and permissions, would this be done on DSM or through the Windows PC with RSAT?

3. People who have had this replacing a Windows DC for a while now, is there anything we should know in implementing this, that hasn't already been raised in this thread? Eg the issues changing passwords, setting up the time server etc.

Thanks in advance for your help! :)
sieberta
Sharp
Sharp
Posts: 194
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby sieberta » Fri Dec 01, 2017 1:57 pm

naver wrote:We are looking into the viability of using a Synology NAS with AD to replace an ancient Windows domain controller.

I have a few questions that I hope someone who has done this already can please advise:

1. As it seems like you cannot add the Synology AD as a backup domain controller, only a primary, is there a straightforward method of transferring the ~40 accounts (including passwords) and OU structure from the old domain to the new one?

2. How easy is it to manage creating network shares and permissions, would this be done on DSM or through the Windows PC with RSAT?

3. People who have had this replacing a Windows DC for a while now, is there anything we should know in implementing this, that hasn't already been raised in this thread? Eg the issues changing passwords, setting up the time server etc.

Thanks in advance for your help! :)


1: I'm unaware of a straightforward way to do this. I setup a new domain and moved all of my machines/users to new accounts.
2: Super easy, that will all be done through DSM
3: You probably already read it, but there may be other caveats here: https://forum.synology.com/enu/viewtopi ... 4&t=132330 plus there is the fact some things in GPMC give errors and don't load. I've generally thought that is because this is equivalent to a Windows 2012 AD... so it may be no change for you??? I haven't found anything I really needed/wanted to do in GP I couldn't do.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Public Service Announcement: Please do not rely on RAID as "backup"... at minimum buy a cheap USB 3.0 HDD and use Hyper Backup...
synal
I'm New!
I'm New!
Posts: 8
Joined: Sun Nov 26, 2017 7:31 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby synal » Fri Dec 08, 2017 1:53 am

Stupid question but does someone have a link or a guide on how to redirect folders to my nas via gpo? I'm testing out domain server package and want to set it up to see how well it works.

Thank you
synology_ukman
Enlightened
Enlightened
Posts: 423
Joined: Fri Oct 26, 2012 4:51 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Postby synology_ukman » Fri Dec 08, 2017 10:19 am

I would not use the NAS for DHCP.
Really not a good idea to put all your eggs in one basket.

Return to “Active Directory Server”

Who is online

Users browsing this forum: No registered users and 2 guests