Synology Active Directory Server Setup Guide (& Tips & Tricks)

All questions regarding Synology's Directory Server package can go here
Forum rules
Synology Community is the new platform for the enthusiasts' interaction, and it will soon be available to replace the Forum.
sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by sieberta » Fri May 18, 2018 3:15 pm

Without knowing more information, it is hard to provide direction... Googling your error message related to samba may help?

I would look hard at the DNS configuration settings on your client using IPCONFIG /ALL and possibly NSLOOKUP.

I would also ensure the user you're trying to use to join to the domain has adequate permissions.

Beyond that, lots and lots of screenshots of your client network configuration, domain join screens, and your server domain configuration would be helpful. That said, if you black out everything you might want to for security purposes, it will be the same information we really need.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

ZidanSilverlane
I'm New!
I'm New!
Posts: 5
Joined: Sat May 19, 2018 3:07 am

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by ZidanSilverlane » Sat May 19, 2018 3:15 am

Before anything, I would like to offer my respect and enormous gratitude to Sieberta. Your guide was thorough and complete. Of course one would need to be at least just one level above a noob to understand it, but anyone that has actually landed on this posted is most likely at that level.

Again, thank you for this guide is worth money.


Tim. I think I had the similar problem.. Did you try changing your DNS preferences on your Adapter settings? Point it to yoor NAS.

Now, I do have one question:

Is it normal that when I apply a policy, I run GPUPDATE /ALL, log out from the administrator account, log back in with a test account, the policies have not yet been applied? Only after a while do the policies seem to take effect. Is this normal or have I made a mistake somewhere?
All of this is being tested on a VirtualBox enviroment-A virtual machine is holding the RSMT, joined on the domain, I log in with administrator, apply settings, gpupdate, log out and log back in with a test account.

ZidanSilverlane
I'm New!
I'm New!
Posts: 5
Joined: Sat May 19, 2018 3:07 am

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by ZidanSilverlane » Sat May 19, 2018 3:18 am

I would like to add, that while testing this system, on a virtualbox running on a host connected to the WIFI using a wifi usb adapter, applying policies and updating was rather problematic. It would sometimes not find the domain. I ran a wire from router to the host pc: problem solved.

I mention this because while testing one might assume that the system is flawed and abandon the project in mind. But knowing that with an ethernet cable the problem is solved, the project can still be developed. Hope it helps anyone

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by sieberta » Sat May 19, 2018 12:05 pm

ZidanSilverlane wrote:
Sat May 19, 2018 3:15 am
Before anything, I would like to offer my respect and enormous gratitude to Sieberta. Your guide was thorough and complete. Of course one would need to be at least just one level above a noob to understand it, but anyone that has actually landed on this posted is most likely at that level.

Again, thank you for this guide is worth money.


Tim. I think I had the similar problem.. Did you try changing your DNS preferences on your Adapter settings? Point it to yoor NAS.

Now, I do have one question:

Is it normal that when I apply a policy, I run GPUPDATE /ALL, log out from the administrator account, log back in with a test account, the policies have not yet been applied? Only after a while do the policies seem to take effect. Is this normal or have I made a mistake somewhere?
All of this is being tested on a VirtualBox enviroment-A virtual machine is holding the RSMT, joined on the domain, I log in with administrator, apply settings, gpupdate, log out and log back in with a test account.
Yes and no. It is appropriate for what you're doing, but not for what you could be doing.

Don't use an administrator account to do a GPUPDATE, use the user account. There is no real reason to use an administrator account that I am aware of. Most policies you'll probably leave setup to 'run in the logged-in users security context', which is appropriate for the actual user, not the admin.

That said, I learned that you must run the command prompt with elevated privileges when doing a GPUPDATE. It will claim it completes successfully, but some of the policies are not applied.

Lastly, I only do GPUPDATE when testing policies. I let them auto-propagate under standard deployment conditions.

Thanks for all of the kind praise. I would mention, at least as it relates to active directory, I really am only that one-step above a noob that you indicated one needs to be to understand the guide... I've learned a lot through my deployment of SAD and other's posts here since I created that How-To post.

The power of community...

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

mikehansen1
I'm New!
I'm New!
Posts: 5
Joined: Wed Nov 05, 2014 3:45 am

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by mikehansen1 » Mon May 21, 2018 10:01 am

Trt681977 wrote:
Thu May 17, 2018 9:14 pm
Hi,
Great article, but I cannot get it to work. I have a DS216+II, I have followed your guide and when I try to join the domain from my Windows 10 Pro laptop, I get the following error:-

"The following error occurred attempting to join the domain "TESTDOMAIN"

The network path was not found.


Any help would be appreciated.

Thanks in advance,
Tim
Normally a domain name has two parts. e.g., TESTDOMAIN.LOCAL

Once up a time, this was a MS recommendation but they started enforcing some years ago.

naver
Trainee
Trainee
Posts: 11
Joined: Thu Nov 30, 2017 5:17 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by naver » Mon May 21, 2018 11:46 am

I have now done a couple of successful migrations to Synology AD and I would like to echo the above praise of sieberta, the guide has been very helpful.

I am not sure if it is a limitation of Samba or the diskstation, but I would love it if a future update allows the Diskstation to replicate with another DC. It would have been a lot less painful to replicate from the existing older setup in a domain trust rather than recreating the users, permissions etc from scratch. Allowing AD replication would also make it easier if in another 10 years time we need to take the AD off of the diskstation.

As a workaround for this, we used robocopy to copy the existing shares to the diskstation, and ForensIT to migrate the profiles. I also found it useful to set up a conditional DNS forwarding rule to the new domain in the existing Windows DNS server till we were ready to change over DHCP. This means you don't have to manually change the DNS on each PC being migrated over.

bamus
Trainee
Trainee
Posts: 10
Joined: Mon Oct 03, 2016 9:16 am

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by bamus » Thu Jun 07, 2018 8:20 am

I was wondering if anyone has this issue:

I have an ADS active at one location, so not other opportunities to test. But on this network the AD console (RSAT on W10 Pro station) is extremely slow. When I drill down in the tree pane on the left it takes up to 2 minutes to open each new node, the console goes into a "not responding" state, but eventually it all works.

It takes a while to add new Group Policies this way, but since I never saw anyone else complain about it, it must be my setup. I checked DNS settings, as I thought this would be the logical cause, but everything is set up as recommended.

Anyone have any ideas?

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by sieberta » Thu Jun 07, 2018 12:34 pm

I do not have this issue. How many users/computers/group policies do you have?

I have about 12 users, 20 computers, and 10 group policies...

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

bamus
Trainee
Trainee
Posts: 10
Joined: Mon Oct 03, 2016 9:16 am

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by bamus » Tue Jun 12, 2018 3:42 pm

I have 19 computers, about 25 users (lots of movement, roaming profiles) and 2 group policies.
Maybe it's the W10 image I deployed (still 1703). I'll be upgrading them to 1803 soon, hopefully that fixes the slowness.

bamus
Trainee
Trainee
Posts: 10
Joined: Mon Oct 03, 2016 9:16 am

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by bamus » Tue Jun 19, 2018 5:13 pm

At one of the locations I manage that runs Synology Active Directory Server I decided to set a second, smaller, Synology up as second DNS. I used some guides I found online as this is not my area of expertise and even though it seems to be working, I wonder if anyone can check if what I did makes sense.

On second Synology:
- install the DNS package
- if you run the Synology Firewall make sure you set the rules for the DNS package
- open the DNS Server app
- Select "Zones" and then "Create" -> "Slave Zone"
- Choose "Forward Zone" from the dropdown, enter your domain name, the IP address of your primary DNS server in the "Master DNS Server" field and click "OK"

To check if all went well:
- Select your newly created entry, click on "Edit" and choose "Resource Records"
- You should see a bunch of data pulled from the primary DNS.

In the Resolution section, configure the same settings as on your Primary DNS (Enable Resolution Services, Enable Forwarders, DNS servers of choice, Forward First).

Make changes to you DHCP server: add your second DNS server's IP.

JR2980
I'm New!
I'm New!
Posts: 2
Joined: Thu Jun 28, 2018 1:31 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by JR2980 » Thu Jun 28, 2018 2:17 pm

***Sorry that this turned into such a long post ****

Thanks for this guide - it helped me get setup without any issues!

I was able to get the AD domain setup without any issues, and joined a single workstation to the domain in order to do some testing and configure GPO's before deploying to the rest of my users.

Everything has been going ok - GPO's setup and applying correctly, but I have a couple of questions/problems....

Instead of rebuilding the domain and going through all of that, I'd like to just move everything from my isolated test VLANs to my production network configuration. I'm a bit nervous as I know that AD is tightly integrated with DNS and I'm not sure how changing IP's on the DC will work.

I did a test last night - opened up the test VLANs to my production VLANs and allowed all traffic on all ports through the firewall. I was able to ping the DC from my other workstations without any problem, but when I moved the workstation that I've been testing with from the test VLAN to my production VLAN, I lost all communication with the DC, which is really weird since other workstations in the same VLAN were able to ping the DC without any problems. There are no firewall restrictions at all between VLAN's - all traffic is allowed.

Current working setup:
DC IP: 10.10.10.2

Workstation 2 (joined to domain)
IP: 10.10.20.10
GW: 10.10.20.1
DNS: 10.10.10.2
8.8.8.8

If I leave the DC where it is and move the workstation to another VLAN, it loses all communication, even though other workstations on that new VLAN can communicate to the DC

Not working setup:
DC IP: 10.10.10.2

Workstation 2 (joined to domain) - Not able to communicate with anything on the network
IP: 10.10.30.12
GW: 10.10.30.1
DNS: 10.10.10.2
8.8.8.8

Workstation 1 (not joined to domain) - Able to communicate
IP: 10.10.30.15
GW: 10.10.30.1
DNS: 8.8.8.8


I'm guessing that this is a DNS issue - I have a basic understanding of DNS, though definitely not an expert.

Anyone have any ideas? It obviously does work across VLAN's since the current working setup is on 2 separate VLAN's, but moving the workstation to another VLAN breaks everything even though the rules managing traffic between the VLAN's are exactly the same and other devices on that VLAN can communicate with the DC without issue.

I suspect that if I remove the workstation from the domain, move it to the new VLAN, then re-join it to the domain, that it would work correctly, though I'm not particularly fond of that as a solution. I think this is related to a DNS entry for that workstation with the current IP and changing the IP is the issue, so that would mean that anytime I want to change the IP of a workstation, I would need to remove and re-join to the domain, which is nuts (what happens if a mobile client like a laptop that uses DHCP gets a different IP than the one it had when joined to the domain???).

Next issue that I have will be changing the IP Address of the DC - I'd like to move the NAS where the DC is running to my production VLAN which would mean a new IP, but if it doesn't handle domain members changing IP's, I'm really not confident that it will handle changing its own IP very well.

Seems like there may be some issues with the way that the active directory service on the NAS integrates with the DNS service and that its not updating records correctly.


What say you - the expert(s) on this? :)



*** Again - sorry this ended up being so long, and congratulations to anyone that actually manages to read through the whole thing! lol


Thanks!
JR

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by sieberta » Thu Jun 28, 2018 5:19 pm

1) It is my understanding that you shouldn't use an off-domain DNS server in your list, because they aren't really preferred in order, it is fastest response. So if, for some reason, 8.8.8.8 responds faster than your DC there could be issues.
2) When you say Workstation 2 is unable to communicate to anything on the network, what does this mean. Can it ping resources on the network? Can it ping out to the internet? Is it just DNS resolution that is an issue?
3) I have some serious concerns about changing the IP address of your DC. It MIGHT work, if you get updated all of the hard coded locations, including in Control Panel (Domain setup, which requires unjoining/rejoining the domain, it appears to me, which I'm not sure what will happen) and DNS configuration... but I'm not confident in this at all.
4) I agree DNS updates do not work correctly. I get lots of errors on the DNS Server and Clients... when you've hard-coded entries, they do seem to respond correctly, but updates seem to be a problem. For me, restarting the DNS server (which requires restarting the Active Directory Server) seems to resolve issues temporarily/sortof.
5) I've never tried restoring the Active Directory configuration from HyperBackup. But I recommend having a backup before you start playing, and I also wonder, if backup AD, clear it from the unit, change the IP of the unit, and then restore AD if it might use the correct/new IP address? That is a wild guess, but an idea none the less.

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

JR2980
I'm New!
I'm New!
Posts: 2
Joined: Thu Jun 28, 2018 1:31 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by JR2980 » Thu Jun 28, 2018 6:56 pm

Thanks for the quick response!

As I was reading, I did see the recommendation not to use an off-domain DNS server on the clients. I will be rectifying that.

Workstation 2 was completely unable to communicate with anything once I changed the IP info to put it on the new VLAN. It was really weird. Nothing worked - connection was there, but couldn't ping anything at all. I guess it could have been something unrelated to the DC and DNS since pinging an IP doesn't use DNS at all, so should have had no impact.

The more I think about it, the more I lean away from trying to change the IP of the DC - I think what I'll do is to take a backup of AD Services, and also export all of my GPO's (which is really the main thing that I dont want to lose). From there, I'll move the NAS to the VLAN where it will live permanently, and re-install AD Services, and just re-import the GPO's. Thats probably the safest bet.


Thanks for the info - its nice to bounce ideas off of folks that have experience working with this. I appreciate the information.

User avatar
Shadow771
Enlightened
Enlightened
Posts: 464
Joined: Sun Jan 28, 2018 11:48 pm
Location: the Netherlands

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by Shadow771 » Sun Jul 08, 2018 11:43 am

I've been googling around for a while now but I couldn't find what I was looking for. I'm also looking to setup a Synology AD environment. To explore it a bit first I first setup some virtual DSM's so I could setup and test the Synology AD environment.

Whenever setting up an AD environment, you should obviously always have at least 2 DC's. And this is were I stumbled on pretty quick.

On my second virtual DSM, I installed the 'Active Directory Server' package. But there was no way I could tell it to run as an additional domain controller... Is this truely a Synology/Samba limitation?

I don't have the finance to purchase 2 SHA capable NAS'es...
Synology DS216+II <--> Synology RT1900AC <--> <site-to-site VPN tunnel> <--> Synology RT1900AC <--> Synology DS118

sieberta
Knowledgeable
Knowledgeable
Posts: 304
Joined: Sun Feb 22, 2015 2:59 pm

Re: Synology Active Directory Server Setup Guide (& Tips & Tricks)

Unread post by sieberta » Sun Jul 08, 2018 11:24 pm

Shadow771 wrote:
Sun Jul 08, 2018 11:43 am
I've been googling around for a while now but I couldn't find what I was looking for. I'm also looking to setup a Synology AD environment. To explore it a bit first I first setup some virtual DSM's so I could setup and test the Synology AD environment.

Whenever setting up an AD environment, you should obviously always have at least 2 DC's. And this is were I stumbled on pretty quick.

On my second virtual DSM, I installed the 'Active Directory Server' package. But there was no way I could tell it to run as an additional domain controller... Is this truely a Synology/Samba limitation?

I don't have the finance to purchase 2 SHA capable NAS'es...
Yep, only one DC. It's a limitation, but probably a limitation most SMBs have with fewer than 15 domain computers/pcs anyway due to budget even with a Windows domain. Plus, you could finance 2 SHA NAS's for less than 1 2016 Windows Server machine...

sieberta
sieberta
---------
Devices: DS415+ (2014), DS216+II (2016), DS916+ (2017)
Applications: Active Directory Server, Antivirus by McAfee, Cloud Station Server, Cloud Sync, CMS, DNS Server, DHCP Server, Hyper Backup, Hyper Backup Vault, SMB/CIFS, SFTP, Snapshot Replication, Storage Analyzer, VPN Server, WebDAV Server

Post Reply

Return to “Active Directory Server”