Synolgy NAS as an Active Directory Domain Controller

All questions pertaining to Windows Active Directory Service can go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
MrAsker42
I'm New!
I'm New!
Posts: 2
Joined: Fri Oct 30, 2015 3:01 pm

Synolgy NAS as an Active Directory Domain Controller

Unread post by MrAsker42 » Fri Oct 30, 2015 3:47 pm

Is there a way to have a Synology NAS be an backup Active Directory Domain Controller? I know the NAS be a member of a AD but can it also be a DC in that AD?

We have a number of smaller remote offices and we plan to have one Synology NAS per remote office. We do not want to put a complete Windows server on every site, not only for the cost issue. But we want to provide access to e.g. files from the HQ, so we will use the BitTorrent Sync client to sync files and then provide access to the files via the AD:s User groups. This setup is very cost effective, compared one Windows Server per site.

However, the access to the AD from our test site over a VPN connection is very very very slow. Almost on the point of making it unusable so if we could get the remote office to have a local read-only copy of the AD, we think this would make it usuable.

So, any suggestions? Any ideas?

Thank you in advance

moch
I'm New!
I'm New!
Posts: 2
Joined: Tue Nov 03, 2015 2:29 pm

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by moch » Tue Nov 03, 2015 2:44 pm

Hi,

the tools (samba-tool) are available to become an AD Controller. Just follow the samba 4.x AD DC from samba.org.

I doubt that this is supported. So You could install the samba ad controller within docker. I suggest use arch-linux.

Next solution, get an Raspberry PI 2, install Arch Linux and SAMBA 4.3 and use it as your DC. That is what I have done.

Use QNAP instead of Synology. Since 4.2 they support Samba AD DC directly.

In fact I would prefere a solution that officially supports SAMBA AD DC native on DiskStation, but Sysnology marketing seems to be more interessted in multimedia than in SMB companies that definitely needs this feature.

MrAsker42
I'm New!
I'm New!
Posts: 2
Joined: Fri Oct 30, 2015 3:01 pm

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by MrAsker42 » Wed Nov 04, 2015 9:54 am

Hi,

Thank you for your quick reply.

So you are saying that I might be able to within the Docker (which existence was news to me) install *nix and then within this runt the Samba-tool to make the NAS into an AD DC? If that works it would be a very cool solution. Have you done this yourself? If so, anything I need to be aware of before I start testing it?

Setting up a rPi is definitely an option, but we'd prefer to not ship a bunch of HW to every remote office. Our plan is to basically pre-configure a WatchGuard FW and Synology NAS at the HQ and then ship this to a new (home) office. Plugging in these two boxes and its cabling and get it all to work is probably going to be enough of a challenge for some of the the employees. :)

Unless we can figure out a since way to physically include the rPi on or in the NAS or FW.

However, I do agree that if Synology could create a AD DC package I would prefer it. It would not have to do much, just sync to the other DC:s, authenticate Users, respond to ACL questions and provide LDAP support. That would be all we need. It could even be a RO DC, if that is even possible.

moch
I'm New!
I'm New!
Posts: 2
Joined: Tue Nov 03, 2015 2:29 pm

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by moch » Wed Nov 04, 2015 1:20 pm

Hi,

Docker is not so easy. You have to work mostly from the command line. I had a SAMBA AD DC image running, I even succeded to autostart after the sleep.

Finaly I decided it is cheeper to use the rPi2. Beside the AD DC function it could fullfill other tasks that are not available on thr DiskStation.

If I think that Docker is not available on all DS what is the difference to ship 3 boxes instead of 2? Also, if you intend to update someting for the rPi2 that is not remotely possible you have to ship only an SD card.

Oh, just an other idea! I think it would be possible to install a second instance of SAMBA at the DiskStation. Put the files to example /opt/samba ... and then create a RO DC. Just listen on differnet network ports. A production DS should have at last 2 network ports. https://wiki.samba.org/index.php/Multip ... _Instances

jcwild
I'm New!
I'm New!
Posts: 6
Joined: Tue Mar 08, 2016 2:19 pm

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by jcwild » Sat Aug 06, 2016 9:23 am

I really can't understand why there isn't more demand for Synology to act as a Domain Controller. It's already running Samba to serve out the file shares - it would be trivial for them to support the ADDC options. Perhaps they feel they would need to add a front end to this, however it wouldn't be necessary as this can be done from remote machines.

User avatar
syno.dustin
Sorcerer
Sorcerer
Posts: 2244
Joined: Thu Oct 29, 2015 11:03 pm
Location: Seattle, WA

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by syno.dustin » Mon Aug 08, 2016 6:52 pm

jcwild wrote:I really can't understand why there isn't more demand for Synology to act as a Domain Controller. It's already running Samba to serve out the file shares - it would be trivial for them to support the ADDC options. Perhaps they feel they would need to add a front end to this, however it wouldn't be necessary as this can be done from remote machines.
There's some demand but it seems people already have these environments setup and the NAS is just one piece. It would be trivial to add the options, sure, but it wouldn't be trivial to make sure they work consistently and make them fit into the GUI and the OS as a whole. I wonder if we'll see this in 6.1. Would be nice.
If you need technical support please use this form: https://account.synology.com/support/support_form.php
Synology does not consistently browse this forum for technical support, feature requests, or any other inquiries as it notes at the top of the page. Please use the proper channels when you need help from someone at Synology.

jcwild
I'm New!
I'm New!
Posts: 6
Joined: Tue Mar 08, 2016 2:19 pm

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by jcwild » Tue Sep 27, 2016 10:50 am

I've tried installing Docker, and the image at https://hub.docker.com/r/pitkley/samba-ad-dc/. The container seems to be up and running. But what I can't figure out is how to make this accessible externally on the network. It seems Docker containers are designed to work as entities within the host machine, but not really as services outwith. I can't see how I can set this container up to be an active directory controller visible on the network, without redirecting all ports on the container to ports on the host machine (the Symbology NAS).

Has anyone got this working?

pgreslin
Novice
Novice
Posts: 42
Joined: Sun Mar 31, 2013 10:45 pm
Location: France

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by pgreslin » Fri Nov 04, 2016 1:34 pm

Active Directory Server is officialy announced in DSM 6.1 with Samba 4.4
https://www.synology.com/en-global/beta/2017_DSM61Beta

Finally I will soon be able to get rid of my old Windows 2003 server :D
DS415+, 8GB Ram, 4 x WD40EFRX (btrfs, Raid 5)

delianmc
Trainee
Trainee
Posts: 12
Joined: Wed Nov 23, 2016 4:07 am

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by delianmc » Wed Nov 23, 2016 5:36 am

Using DSM 6.0.2-8451 Update 4 I trye to generate a DC using the samba-tool it was complaining about a missing folder. so I only created the requested folder "/var/packages/ADServer/target/private"

The I renamed /etc/samba/smb.conf to /etc/samba/smb.conf.bak

I invoked the samba tool as I already used in the past with a Ubuntu server like this: samba-tool domain provision --interactive

Then I linked the generated kerberos configureation file in the /etc by doing this: ln -sf /var/packages/ADServer/target/private/krb5.conf /etc/krb5.conf


All the process completed as it did on my linux system.

I did a restart of the smbd everything is running but the samba / AD integrated DNS isn't responding. I guest some part of the samba daemon where disabled by synology.

delianmc
Trainee
Trainee
Posts: 12
Joined: Wed Nov 23, 2016 4:07 am

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by delianmc » Fri Mar 03, 2017 7:59 am

THIS SOLUTION HAD TOO MUCH ISSUES LOOK TO THE NEXT SOLUTION A LITTLE FURTHER IN THIS THREAD INSTEAD


Ok here is my final solution.

It seems to be working enough for me at this point.

First make sure your Synology is configured with a static IP, you have the SSH enabled and you have DSM 6.1 or later installed.

Then from an SSH console do the following.

Code: Select all

sudo mkdir -p /var/packages/ActiveDirectoryServer/target/private
In the next code section we will do the following:
  • In the first line we remove the existing samba configuration (not the share) while keeping a backup of the old one.
    In the second line we interactively generate the domain and domain controller configuration.
    In the third line we link the Kerberos configuration generated by the domain configuration.

Code: Select all

sudo mv /etc/samba/smb.conf  /etc/samba/smb.conf.bak
sudo samba-tool domain provision --interactive
sudo  ln -sf /var/packages/ActiveDirectoryServer/target/private/krb5.conf /etc/krb5.conf
Then we need to make a backup copy of the file /etc/init/smbd.conf before inserting the following lines:

Code: Select all

	if [ "active directory domain controller" = "${SERVER_ROLE}" ] && ! pidof samba ; then
		/usr/bin/samba -D
	fi
just after the line

Code: Select all

	SERVER_ROLE=$(synogetkeyvalue /etc/samba/smb.conf "server role")
Make sure your IP configuration is set to use itself as the DNS server

Then we restart the service by doing

Code: Select all

sudo stop smbd
sudo start smbd

Then your domain should be working.

Note to add domain user you must use the SSH console with the samba-tool or the Active directory user and computer from a domain member computer on Windows OS.
The DSM web interface will not work to manage active directory user or group but you will be able to assign permission to shared volumes to domain users or groups.

The easiest way to manage your domain is to install the RSAT (Remote Service Administration Tools) form the official Microsoft's download site on a Windows Vista or later domain member computer or from a domain member Windows 2008 or later server. The samba-tool allows you the most part of the DNS or user management but it is far from intuitive and sometime ou have to user other tools to access the active directory configuration such as pdbedit which I am not even sure are available on DSM.
Last edited by delianmc on Tue Mar 07, 2017 5:42 am, edited 1 time in total.

delianmc
Trainee
Trainee
Posts: 12
Joined: Wed Nov 23, 2016 4:07 am

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by delianmc » Tue Mar 07, 2017 5:33 am

Hi again,

After trial and errors I discover that the previous method has some limitations (to restart samba you had to reboot the system or kill the samba smbd nmdb and winbind process).

So here his my latest and probably last version. It is a based on a combinaison of the sbmd.conf and a very stripped down version of the pkg-ActiveDirectoryServer.conf from a NAS supporting the active directory.

Here are some limitations. This has only be tested on DSM 6.1. Once the NAS has become a domain controller it should never change name. The IP can be change but you have to run the "samba_dnsupdate" from a console. This solution doesn't suport the BIND9 DNS server provided as a package by Synology but rather the integrated DNS server from SAMBA. So if you use the DNS server from synology you must bind it to a different IP or interface than the one of SAMBA or simply disable it. Unlike with the Synology AD Server package there is no extra replication mechanism of the "sysvol" share that contain the Group policies (SAMBA doesn't support it yet). However, the active directory itself (users, group, computers and OU) replicates properly. The ACL on the share seems to be at odd between the "File Station" and the domain member. Group and permission doesn't map properly in file station but are OK on the share.

This was done has a personal challenge. I just wanted my NAS to have an active directory for my home computers. So I can't guaranty that this won't have bugs nor cause harm to your NAS. I can however guaranty I wouldn't use it on medium or large scale domain or in a mission critical environment. Event Synology has marked their AD package as beta so...

Anyway I tried it on 3 different NAS and had some fun. I now have a working domain at home.

That being said here is how I did it:

Log on trough SSH on your NAS. Then create the script named samba-ad-dc.conf into /etc/init
Here is the content of the script:

Code: Select all

# Put this script in /etc/init
# Do a chmod a+rx /etc/init/samba-ad-dc.config
# The script will automatically create the missing folder on start.
# The script will also link automatically the kerberos configuration on start. 
# Once the NAS has become an active directory domain controller it shouldn't change
# name.  
# If the IP is changed you will need to run samba_dnsupdate command.

description "SAMBA AD Domain Controller"

author "Derivate from other script from Network Infrastructure Team"

start on syno.network.ready
stop on runlevel [06]

console log
expect fork
respawn
respawn limit 5 10

pre-start script
	PKG_PRIVATE="/var/packages/ActiveDirectoryServer/target/private"
	if [ ! -d ${PKG_PRIVATE} ]; then
		echo "Creating the folder ${PKG_PRIVATE}"
		mkdir -p "${PKG_PRIVATE}"
	fi
	
	SERVER_ROLE=$(synogetkeyvalue /etc/samba/smb.conf "server role")
	if [ "active directory domain controller" != "${SERVER_ROLE}" ] ; then
        echo "Active directory not configured. Won't start"
        stop; exit 0
	else
		# Relink the kerberos config generated by samba.
		ln -sf /var/packages/ActiveDirectoryServer/target/private/krb5.conf /etc/krb5.conf
    fi

    if pidof samba > /dev/null; then
        echo "samba is running"
        stop; exit 0
    fi

    if [ ! -d "/run/samba" ]; then
        mkdir -p "/run/samba"
    fi

    rm -f /run/samba/samba.pid
end script

exec /usr/bin/samba

post-start script
    PKG_PRIVATE="/var/packages/ActiveDirectoryServer/target/private"

    if [ -f "${PKG_PRIVATE}/synoinfo.conf" -a "yes" = "$(synogetkeyvalue /etc/synoinfo.conf userHomeEnable)" ]; then
        synosetkeyvalue "/etc/synoinfo.conf" "enableduserhome" "$(synogetkeyvalue ${PKG_PRIVATE}/synoinfo.conf enableduserhome)"
    fi

    samba-tool ntacl sysvolreset
end script

pre-stop script
 	SERVER_ROLE=$(synogetkeyvalue /etc/samba/smb.conf "server role")
	if [ "active directory domain controller" != "${SERVER_ROLE}" ] ; then
        echo "Active directory not configured. Wont't stop"
        stop; exit 0
    fi

    if ! pidof samba > /dev/null; then
        echo "samba is not running"
        stop; exit 0
    fi
end script

post-stop script
    PKG_PRIVATE="/var/packages/ActiveDirectoryServer/target/private"

    cp -f /etc/samba/smb.conf "${PKG_PRIVATE}/smb.conf"
    cp -f /etc/synoinfo.conf "${PKG_PRIVATE}/synoinfo.conf"

    rm -f /usr/syno/etc/private/.db.domain_{user,group}
    rm -f $(realpath /usr/syno/etc/private/.db.domain_{user,group}_full.*)
    rm -f /usr/syno/etc/private/.db.domain_{user,group}_full.*
end script

# vim: set ft=upstart:


Then change the permission on the file and run it once so it will create the missing folder for the domain provisioning

Code: Select all

sudo chmod a+rx /etc/init/samba-ad-dc.conf
sudo start samba-ad-dc
Trough the DSM web interface, configure the network interface of the NAS to uses a static IP and to point to its own IP for its DNS server and for the preferred DNS under the general tab.

From an SSH console, make a backup of your SAMBA configuration while removing the original config by doing

Code: Select all

sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
Then perform the domain provisioning (create your domain) by typing the following command.

Code: Select all

sudo samba-tool domain provision --interactive
You will be asked for the following
Realm: [the fully qualified domain name]
Domain: [the NetBIOS domain name]
Server Role: [Keep default (ds) by pressing Enter]
DNS backend: [Keep default (SAMBA_INTERNAL) by pressing Enter]
DNS forwarder: [Set you external DNS dorwarder if any]
Administrator password: [Password of the built-in domain admin]

Then run the startup script again by typing

Code: Select all

sudo stop smbd
sudo stop nmbd
sudo start samba-ad-dc

Look at the logs in /var/log/samba/ to make sure everything is fine. in log.nmdb the service may complain but it should be okay. I was too lazy to disable the standalone nmdb.

To be able to assign permission to domain user or group to your shares you must first go to the "Control Panner" on "Domain/LDAP" and update the domain users list.

You should now be up and running!

To manage your active directory and DNS install the Remote Service Administration Tools (RSAT) on a Windows Worstation (cand be downloaded from download.microsoft.com) or active the features on a Windows Server.

dikkydik
I'm New!
I'm New!
Posts: 1
Joined: Wed May 10, 2017 6:55 pm

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by dikkydik » Wed May 10, 2017 7:06 pm

Good evening,

First, thank you for the script (and work) Delianmc.
I did all you post described and the domain is running.

Only 1 issue that i am not able to resolve, after googling samba, synology, etc:

The SysVol is not ready. This can cause the DC to not advertise itself as a DC for netlogon after dcpromo. Also trouble with FRS SysVol replication can cause Group Policy problems. Check the FRS event log on this DC.
In short, I do not have permissions to write to it, so no group policies.

I figured out that the only user that has rights is 'root'.
Google suggestions tell that a: samba-tool ntacl sysvolreset
could resolve this. In my case, it doesnt work:

set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_ACCESS_DENIED.
ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", line 1636, in setsysvolacl
service=SYSVOL_SERVICE)
File "/usr/lib/python2.7/site-packages/samba/ntacls.py", line 114, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

Tried a lot (mostly Windows logic, combined with googled linux alternatives), but i'm stuck and out of thoughts.

Hope you have a pointer for me?

ptolomeoo
I'm New!
I'm New!
Posts: 2
Joined: Mon May 07, 2018 3:03 pm

Re: Synolgy NAS as an Active Directory Domain Controller

Unread post by ptolomeoo » Tue May 15, 2018 9:01 am

delianmc wrote:
Tue Mar 07, 2017 5:33 am
Hi again,

After trial and errors I discover that the previous method has some limitations (to restart samba you had to reboot the system or kill the samba smbd nmdb and winbind process).

So here his my latest and probably last version. It is a based on a combinaison of the sbmd.conf and a very stripped down version of the pkg-ActiveDirectoryServer.conf from a NAS supporting the active directory.
Hello,

first of all, thank you very much for your instructions, they were very helpful and I could install the Active Directory in my DS415Play.

I followed the instructions and it works as I can now add computers to my domain, and manage users using RSAT tools from a computer (in my domain).

However, I cannot manage these newly created users.

When I enter Control Panel > Domain/LDAP > Users, I always get the "Failed to load the user data" error.

I've googled around but haven't found anything that could help me at this point and I'm stuck.

Can anybody give me a hint on what to try to do to fix this error?

Thanks in advance.

Post Reply

Return to “Windows AD Domain”