Ditching Windows Active Directory for Synology Active Directory

All questions regarding Synology's Directory Server package can go here
Forum rules
Synology Community is the new platform for the enthusiasts' interaction, and it will soon be available to replace the Forum.
sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Ditching Windows Active Directory for Synology Active Directory

Unread post by sieberta » Fri May 19, 2017 10:35 pm

Edit: While this post has some extra information and specific details from coming from Windows Active Directory... I would first read this post: https://forum.synology.com/enu/viewtopi ... 4&t=132330
Intro
So I've been wanting to get rid of my Windows Server 2012 R2 Essentials Domain Controller for a long time and for a long list of reasons. Finally, I feel like I might have a workable solution in Synology Active Directory (Powered by SAMBA 4). I'll do what I can to document this transition over time... as I'm sure I'm not the only one who wants to ditch Windows Server.

Environment
First a bit about my environment
10 Users
12 PCs
0 Macs
0 Linux
1 Site (with two users who frequently VPN in)
1 DS916+
1 DS415+, but won't be part of the final solution...

Concerns
I have several concerns, but I'm moving forward anyway... here are a few of them...
1) I don't see a way to have multiple backups of my Active Directory in case something were to go wrong (like corruption or otherwise) and that were to get backed up...
2) Group Policy Editing seems awfully slow over the network from a Win 7 PC
3) Creating all new user accounts (and therefore permissions) and migrating all of the PCs. I didn't see any reasonable way to migrate the Active Directory Users & Computers from Windows.
4) To setup Active Directory you must be on DSM 6.1 or newer, and it automatically switches to that domain... so doing this slowly wouldn't normally be much of an option. Because of the recent Intel Atom mess, I decided to purchase a new DS916+... this gives me a playground on which to work.
5) Getting my VPN user(s) switched domains (Server 2012 R2 Essentials had a great tool for this)
... I'm sure there are more, but these are the ones I can think of so far.

What I've done so far
1) Configured the 916+ (including shares) and setup CloudStation Client to keep the two in Sync. I tried using Shared Folder Sync, but it caused permissions issues.
2) Setup my new Active Directory including users and group policies... went pretty well but editing group policies was pretty "slow" for some reason over the network.
3) Changed over a test laptop to the new domain and migrated the profile using ForensiT... went pretty well actually
4) I'm in the process of doing my own laptop right now... I found that most of my Office (and other) applications didn't know how to sign in anymore and needed credentials... no big deal. That is really a note on ForensiT rather than Synology...

What is left to do
1) I need to finish setting up my laptop, then will run in a hybrid environment for a while to ensure everything works well and that Synology Active Directory is ready for prime time.
2) Obviously I'll need to migrate everyone elses machines at some point.
3) I'll also, eventually need to change the group policy to map the shares on the 916+ instead of the 415+... but I left it for now in my "mixed" environment.
4) I also haven't setup all the backups and services on the 916+ yet, but those don't really relate to Synology Active Directory, so you may not hear much on that.

As I progress forward, I'll try and keep making updates... like I said, I'm sure I'm not alone in wanting to ditch my Windows Active Directory... and that many of you will be interested in someone else taking the plunge before you.

sieberta
Last edited by sieberta on Fri Jun 09, 2017 4:02 pm, edited 1 time in total.
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

DMFerreira
Trainee
Trainee
Posts: 17
Joined: Mon Mar 31, 2014 8:19 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by DMFerreira » Sat May 20, 2017 9:40 am

Thanks a lot for sharing your experience. Please keep us updated.

I manage the network on my fathers small business. Also 10 people, 10 stations and two "servers" (1 PC dedicated to accounting applications and other PC dedicated to business itself). Normally 3 to 5 users access remotely.

I'm not using Ative Directory Server at the moment because It's a unknown world for me. Although I learn fast on technology I'm feeling behind on Windows Server and network management. But I would like to improve my fathers office to the next level.

I'm using a dangerous way of remote access, windows Remote Desktop to a Patched Win7 machine to allow multiple connections. Last year we faced an attack the encrypted all our data. Fortunetly my backup strategy came to the rescue and we didn't lost anything.

Long story short. I have a DS916+ at home and I'm keen to play with it to learn more about Directory Server and how to manage group policy.

Can someone recommend a good reading for the subject?or were an I find good information with examples for someone who doesn't has an IT degree?

Thanks a lot
- Home: DS916+ 8GB [12TB SHR-1 (2xWDRed 4TB + 4TB Seagate IronWolf); 1TB - Daily Photo Backup] + 3TB USB HyperBackup Vault
- Parents Home: DS214+ [3TB (HyperBackup Vault); 3TB (Multimedia Mirror)]

lamamanx
I'm New!
I'm New!
Posts: 3
Joined: Sun Apr 23, 2017 4:56 am

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by lamamanx » Thu May 25, 2017 10:58 pm

Keep us posted, I am interested how it works for other people.

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by sieberta » Thu Jun 01, 2017 2:53 pm

Updates:

1) Last night I moved 7 of our machines to SAD... so far no complaints.
The reaming 4 will move Friday Night. I couldn't do them all at once for lack of access to all machines. Took 25-45 minutes per machine.
2) I used WinMerge to find areas where Cloud Station ShareSync was letting me down. The only differences were those that were documented by Synology. For me, primarily "Program Files" folders, and files that start with ~... oh, and thumbs.db. I didn't care about files that start with ~ or thumbs.db, but I renamed the program files folders (they didn't need to be that) so they would sync.
3) I have setup 5 different backup tasks that backs up my applications (primarily for SAD) so that I'll have multiple restore points in case something gets corrupted or an update breaks things.
4) For my one remote user who is never in the office, I ended up taking her machine off the domain. We'll see if that proves good or bad.
5) I ended up using ForensiT for the profile migration and it worked AWESOME! I used personal ed. but will be sending a donation today or purchasing a corp license... one or the other.
6) Right now, users on the SAD are accessing the files on the 916+ and users on Windows AD are accesing files on the 415+ and Share Sync is syncing. This isn't ideal, but it is only for 2 days...

I mentioned group policy editing from a Win 7 machine was slow. From my Win 10 machine it worked great. Don't know if that is because it has better hardware, or because of a hardwired ethernet connection.

One more thing that was really important in my migration. I setup Windows DNS to pull in DNS entries from the NAS for the new domain, and I setup the NAS to pull DNS entries from the Windows domain. This was centrally important in my situation.

Left to do:
1) Move remaining 4 users.
2) Turn off DHCP in Windows and turn on in Synology
3) DHCP will then configure DNS on Synology instead of Windows... right now DNS on Synology is barely being used as all clients go to Windows for DNS information (see note above about syncing those two).

Happy to answer any questions anyone has. I'm sure I've missed something in this write up. There were a few stages where I got stuck for hours on end... but I can't remember them now. One of them may have been the DNS issue.

I'll try and remember to post an update in a few weeks or a month indicating if everything is still going well. So far I'm quite happy.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

smplante
I'm New!
I'm New!
Posts: 1
Joined: Thu Jun 01, 2017 5:04 pm
Contact:

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by smplante » Thu Jun 01, 2017 5:29 pm

Hello sieberta,

I'm also currently working on a Windows 2008 Active Directory to Synology Active Directory migration project.

Since your are, probably, the most experience user, for Synology Active Directory, I've found on internet (regarding the use of Synology Active Directory Package) I have some question for you:

Q1) Do you use Roaming Profile on your installation ?
If Yes, did you notice Microsoft Window 10 error when a computer get back on the network (login) after it was use outside the Active Directory LAN ?

It look like there is some issue when "Store Profile" (on the NAS) do not match the "Computer - Users - Local Profile"
You can find this error in Windows Log under Event ID : 1521

Now, I already have registered an issue with Synology, regarding "Language changed" (from French to English), in the Users Profiles after the first Synchronisation. I'm waiting answer from them.

So, may be this new issue is related ?

Thank's for any information you can provide me.

Actualy, the documentation, on this new Synology Active Directory Package, is very very thin...

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by sieberta » Thu Jun 01, 2017 10:25 pm

smplante wrote:Hello sieberta,

I'm also currently working on a Windows 2008 Active Directory to Synology Active Directory migration project.

Since your are, probably, the most experience user, for Synology Active Directory, I've found on internet (regarding the use of Synology Active Directory Package) I have some question for you:

Q1) Do you use Roaming Profile on your installation ?
If Yes, did you notice Microsoft Window 10 error when a computer get back on the network (login) after it was use outside the Active Directory LAN ?

It look like there is some issue when "Store Profile" (on the NAS) do not match the "Computer - Users - Local Profile"
You can find this error in Windows Log under Event ID : 1521

Now, I already have registered an issue with Synology, regarding "Language changed" (from French to English), in the Users Profiles after the first Synchronisation. I'm waiting answer from them.

So, may be this new issue is related ?

Thank's for any information you can provide me.

Actualy, the documentation, on this new Synology Active Directory Package, is very very thin...
I didn't use roaming profiles... so it seems I'm no help on your questions.

I will say I often searched for SAMBA 4 help when working on Active Directory matters, instead of Synology Active Directory... since that is the machine underneath the Synology Branding. That helped with understanding how to setup group policies.

Also for an update... I have now moved all users. We had two files corrupted by Cloud Station ShareSync, so we moved everyone to avoid more corruption.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

pwason
I'm New!
I'm New!
Posts: 4
Joined: Fri Jun 02, 2017 5:28 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by pwason » Fri Jun 02, 2017 5:58 pm

I'm trying to set up something similar, but am getting nowhere fast.

-- I have a RS815RP+ with the latest DSM and ADS package installed, called "valhalla".
-- The RS and three desktops (which are all in a workgroup called "SBS-NET") are connected to a switch.
-- The switch is connected to an ASUS AC wireless router, which in turn is connected to broadband.
-- All the machines are getting their IP addresses from the router (AFAIK).
-- All the machines can ping each other on the network, and RDC works between desktops using local creds.
-- If I create a Shared Folder on the RS, I can browse it from a desktop using an account setup on the RS (i.e., the existing admin account, not an ADS account).

For example, I would like to be able to add user "jrowne" in a group called "advocates", and allow him to log into any of the desktops as a non-admin user, and from that desktop access three Shared Folders on the RS, one R/W only for "jrowne", one R/W for "advocates", and one R-O for all users.

A real ADS holds a database of users and groups created on the ADS, and given permissions on domain member computers (and on the ADS itself).
The Synology Samba-based ADS seems to also hold a database, the difference being that the users are existing users created outside of the ADS, and added to the ADS.
But, I may not be correctly understanding the way Samba works.

On a real M$ ADS (which I'm more familiar with), the domain would be "valhalla.sbs.net", but if I enter this in the ADS config dialog, I'm told it's not a valid domain name.
So I tried "sbs.net", which took. However, if I then go to one of the desktops and try to join it to the domain, it fails to do so, and I'm told that no ADS could be found on the network.
The config dialog also has a "Workgroup" field. I tried entering the existing workgroup name "SBS-NET" here, but it didn't seem to make any difference.

Any ideas? Suggestions? Clarifications?

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by sieberta » Fri Jun 02, 2017 8:22 pm

pwason wrote:I'm trying to set up something similar, but am getting nowhere fast.

-- I have a RS815RP+ with the latest DSM and ADS package installed, called "valhalla".
-- The RS and three desktops (which are all in a workgroup called "SBS-NET") are connected to a switch.
-- The switch is connected to an ASUS AC wireless router, which in turn is connected to broadband.
-- All the machines are getting their IP addresses from the router (AFAIK).
-- All the machines can ping each other on the network, and RDC works between desktops using local creds.
-- If I create a Shared Folder on the RS, I can browse it from a desktop using an account setup on the RS (i.e., the existing admin account, not an ADS account).

For example, I would like to be able to add user "jrowne" in a group called "advocates", and allow him to log into any of the desktops as a non-admin user, and from that desktop access three Shared Folders on the RS, one R/W only for "jrowne", one R/W for "advocates", and one R-O for all users.

A real ADS holds a database of users and groups created on the ADS, and given permissions on domain member computers (and on the ADS itself).
The Synology Samba-based ADS seems to also hold a database, the difference being that the users are existing users created outside of the ADS, and added to the ADS.
But, I may not be correctly understanding the way Samba works.

On a real M$ ADS (which I'm more familiar with), the domain would be "valhalla.sbs.net", but if I enter this in the ADS config dialog, I'm told it's not a valid domain name.
So I tried "sbs.net", which took. However, if I then go to one of the desktops and try to join it to the domain, it fails to do so, and I'm told that no ADS could be found on the network.
The config dialog also has a "Workgroup" field. I tried entering the existing workgroup name "SBS-NET" here, but it didn't seem to make any difference.
1) Do you own the domain sbs.net? If so, you should be able to use it as your domain. That said, I had issues using my real domain, so if I were you I would do valhalla.local as the domain name.
The reason I had issues is because the DNS server limits the configurability of your AD zone... which can be a problem if it is a real domain.
2) If your router is going to hand out IP addresses via DHCP, I think this can work. But you'll either want to tell your router to hand out the DNS address of your RS or hard code that DNS address into your PCs
Do not set a second DNS address of your router or a public DNS server. You can google why elsewhere.
You could also tell your RS to be the DHCP server... that is what I did. If you do this, disable DHCP on your router!
3) Your users/groups will need to be setup within the Active Directory App, not the local users/groups in Control Panel. This is important.
4) You will need to join each PC to the domain, I'm sure you can google how to do this elsewhere... if you want to keep the users' profiles going, you need to use ForensiT or something else. Google it... it is free for personal use or cheap for commercial use.

Side Notes:
Your RS should've automatically joined the domain when you created it... and it also should've enabled DNS Server ability and done basic configuration of the zones on your domain. Both of these are important for proper operation. You will provide privileges through Control Panel under "Domain" right below Local Users and Groups.

sieberta

Edit: Added the note about disabling DHCP on router.
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

pwason
I'm New!
I'm New!
Posts: 4
Joined: Fri Jun 02, 2017 5:28 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by pwason » Sat Jun 03, 2017 12:07 am

Thanks for the replay!

"Owning" the domain has nothing to do with it. I use a .net domain I don't own on a class-c elsewhere with no issues. AFAIK :) But maybe I'll try the .local thing.

The DHCP from the router is giving the RS an IP: 192.168.1.114. I guess I could reserve it so it wouldn't change, but right now I just want to see this ADS thing actually work. No second DNS specified. If I make the RS do DHCP, does it then give the router an "internal" IP? How exactly to do this?

Yes, I created a user in ADS, first creating a group called management (one of the principles was sitting next to me, watching), and then the user in that group. That all worked correctly.

I know about joining PCs to a domain, I've done it thousands of times. :/ When I tell the PC to join SBS.NET it says "No AD server found on the network". If I enter SBS for the domain, it doesn't give an error but afterward "computer name" tab indicates that it is part of workgroup SBS, and not a domain. There aren't really any users or profiles on the desktops yet, just a local admin account which would never be in ADS and would not be used to access domain resources.

It's obvious that this is not "true" AD behavior. All I want to know is what's different, and will I be able to do what I outlined in my initial post. If not, I'll cut bait and just set up a real ADS, but boss won't like having to spend several $$$ more for this..

The RS seemed to indicate that it had created a domain sbs.net, but also indicated that it was in the workgroup "SBS". Not sure where that came from. AFAIK the DNS stuff was done automatically, though I haven't looked at it.

Nothing is working correctly. Note: by correctly I mean "as I imagined it would, having over a decade of M$ AD management experience". The problem could be my expectations are completely wrong.


Pete

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by sieberta » Sat Jun 03, 2017 1:44 am

On phone, so this will be quick. Problem is DNS. YOUR computer's aren't finding the active directory because their DNS source doesn't know about it.

Try setting one of them to static DNS to yoir RS and then join it to domain. It should work. You can figure out the rest of the network architecture after this test works.
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

pwason
I'm New!
I'm New!
Posts: 4
Joined: Fri Jun 02, 2017 5:28 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by pwason » Sat Jun 03, 2017 2:02 am

OK, I'll try that. Thanks :)

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by sieberta » Sat Jun 03, 2017 2:39 am

Also, as far as I know, public domain that you dont control could be OK... but could cause issues if someone actually wants to access that domain (the real one) from insode your network. I see no reason not to use something.local.

In response to your DHCP question of earlier. On the LAN side of the router, I have a hard codes internal up, which is used as default gateway on all devices. Then the NAS also has a hard coded UP.

But bad things happen if two DHCP servers are running on the same subnet at the same time.

I've had all computers on domain for 2 days and so far so good... running just like a windows 2008 domain although have one laptop dropping shares connections a few times today. Not sure yet what is up there.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Update: Two Lingering Issues

Unread post by sieberta » Mon Jun 05, 2017 5:35 pm

I have two lingering issues with this migration:

1) Windows 10 machines are losing connection to the NAS periodically (not at the same time).
I think I've identified this as bad group policy on my part, using "replace" instead of "update" or "create". I've changed the drive maps to "create" and hopefully this will resolve the issue.
2) Windows 10 machines are not getting time updates from the NAS. They say time data isn't available from <servername>.<domainname>.<local>
This hasn't resulted in any issues yet, but I'm sure it will, so I"m researching as we speak.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by sieberta » Mon Jun 05, 2017 5:53 pm

Ok, so when i try to do a w32tm /rsync, I get an error message that "no time data was available"

I tried w32tm /stripchart /computer:<ipv4addr> and got all errors.

I disabled the NTP service via the checkbox in control panel, then tested, still got all errors. I reenabled it, and now I get a proper stripchart, but w32tm /resync still fails with the same error.

I should mention the firewall is currently disabled...

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

edanto
Student
Student
Posts: 70
Joined: Tue Oct 06, 2015 9:50 pm

Re: Ditching Windows Active Directory for Synology Active Directory

Unread post by edanto » Tue Jun 06, 2017 10:29 pm

Very interesting thread sieberta; I didn't realise how possible this approach was. Well done for getting so far with it.

I can't offer any suggestions on your w32tm or losing mapped drives problems, but I'm curious to know how you get on with them.

What are you using as a VPN client; is it the Synology client?
Watch out; the forum won't email you by default when someone replies!

Fix this: Click User Control Panel near the top-right, click the Board preferences tab, click Edit posting defaults, change "Notify me upon replies by default" from the default of No to Yes, click Submit.

To ask the admins to change this default setting, find the thread in Feature Requests & Product Improvement Suggestions forum (not allowed to include a link here).

Post Reply

Return to “Active Directory Server”