Knowledge Center

How do I manage Microsoft Active Directory client services on a Synology NAS?

Last updated:Apr 1, 2021

How do I manage Microsoft Active Directory client services on a Synology NAS?

Purpose

This article provides a brief introduction to Microsoft Active Directory Domain Services (AD DS). You will also learn how to join a Synology NAS to a domain and configure access privileges of domain users/groups to DSM resources.

Contents

Resolution

What are Active Directory Domain Services?

Microsoft Active Directory Domain Services (AD DS) are a directory service that organizes network resources within AD domains. It supports user/group management, group policies, multiple directory servers (i.e., domain controllers), Kerberos authentication, etc.

There are plenty of benefits of joining Synology NAS to an AD domain (hereafter "domain"). For IT administrators, AD DS provides a secure and centralized platform to manage Synology NAS and other network resources. For domain users, AD DS allows them to access multiple Synology NAS merely using one set of credentials.

For more information about AD DS, please refer to this article.

Join your Synology NAS to an AD domain

Join your Synology NAS to a domain

Get the login credentials of domain admin account and follow the steps below:

  • For DSM 7
    1. Sign in to DSM using an account belonging to the administrators group.
    2. Go to Control Panel > Domain/LDAP > Domain/LDAP.
    3. Click Join.
    4. Configure the following settings and click Next:
      • Server type: Select Auto-detect or Domain.
      • Server address: Enter the name/IP address of the domain you wish to join, e.g., "SYNO.INC" or "10.17.28.174".
      • DNS server: Enter the IP address of the DNS server in your AD DS. It is recommended to use a domain controller's IP address.
    5. Configure the following settings:
      • Domain account: Enter the username of the domain administrator’s account.
      • Domain password: Enter the password of the domain administrator's account.
      • DC IP/FQDN: You can specify one or more domain controllers' (DCs) IP addresses or fully qualified domain names (FQDNs), and your Synology NAS will try to communicate with them.
      1.png
    6. Click Next, and the wizard will run some checks and join your Synology NAS to the domain. When the joining process is complete, you will see the status "Connected" at the Domain/LDAP tab.
      2.png
  • For DSM 6.2
    1. Sign in to DSM using an account belonging to the administrators group.
    2. Go to Control Panel > Domain/LDAP > Domain.
    3. Tick Join domain.
    4. Configure the following settings:1
      • Domain: Enter the name of the domain you wish to join, e.g., "SYNO.INC".
      • DNS Server: Enter the IP address of the DNS server in your AD DS. It is recommended to use a domain controller's IP address.
      3.png
    5. Click Apply. A pop-up window will appear requesting the administrator's account and password of your AD DS for authentication. Enter your information and click Next.
    6. When the joining process is complete, you will see the status "Connected" at the Domain tab.
      4.png

Check cached domain users and groups

  1. Go to Control Panel> Domain/LDAP. Check if the domain users and groups are shown at the Domain User and Domain Group tabs respectively.
    5.png
  2. Go to Control Panel > Shared Folder and select a shared folder.
  3. Click Edit > Permissions. Check if domain users and groups can be selected from the drop-down menu.
    6.png

Manage access privileges to DSM resources

The following sections show you how to manage access privileges of domain users/groups to DSM resources. Before you proceed, you can refer to Help articles under the following topics, which will guide you through sharing DSM resources in detail:

Configure access permissions to shared folders

By default, domain users and groups have no access to shared folders that already exist before your Synology NAS joins the domain. To grant permissions to shared folders for domain users/groups, please adopt either of the methods below.

  • Method 1
    1. Go to Control Panel > Domain/LDAP and click the Domain User or Domain Group tabs.
    2. Select a domain user/group and click Edit > Permissions.
    3. Configure the access permissions and save the settings.
      7.png
  • Method 2
    1. Go to Control Panel > Shared Folder.
    2. Select a shared folder and click Edit > Permissions.
    3. Select Domain users or Domain groups from the drop-down menu.
    4. Configure the access permissions and save the settings.
      8.png

Configure access permissions to sub-folders

Permission settings at a sub-folder level allow IT administrators to have finer permission control. It is especially useful when you need to set file access permissions for a large organization. Here's a possible scenario:

Assume a sales division consists of three departments: Sales 1, Sales 2, and Sales 3. The Synology NAS admin creates the "Sales 1", "Sales 2", and "Sales 3" subfolders under the "Sales" shared folder. The admin can set access permissions for the three sub-folders separately. For instance, the Sales 1 members have read/write permissions to the "Sales 1" folder, while they may only have read-only permissions or even no access to the other folders.

To configure access permissions at a sub-folder level, please follow the steps below:

  1. Go to File Station and select a sub-folder under a shared folder, e.g., "TV show" under the shared folder "video".
    9.png
  2. Right-click the sub-folder and select Properties > Permission.
  3. Click the Create button. A permission editor window will prompt you to configure the following:
    • User or group: select a domain user or group.
    • Permission: Tick the permissions you wish to assign to the domain user/group.
    10.png

Access shared folders with Active Directory permissions

You can access shared folders of your Synology NAS via File Station, SMB, AFP, FTP, etc. We'll take SMB as an example in the steps below:

  1. Use a computer to connect to your Synology NAS.
    11.png
  2. Double-click the shared folder you wish to access.
    12.png
  3. Type the following if you are prompted to enter login credentials:
    • Username: Add your domain name and a backslash before your domain username, e.g., "syno.inc\administrator".
    • Password: Enter the password of the domain user account.
    13.png

Manage home folder service

The Synology NAS admin can enable the User Home feature to have the private home folders created automatically for each domain user, accessible via various file services and packages. Only the admin and the user themself can access these private folders.

  • To enable home folders for domain users
    1. Go to Control Panel > Domain/LDAP > Domain User, and click User Home.
    2. In the pop-up window, tick Enable home service for domain users and save the settings.
      14.png
  • To access domain user's home folder (for end-users)
    1. Use a computer to connect to your Synology NAS via File Station, SMB, AFP, or FTP.
    2. Select home to access your home folder.
  • To manage domain users' home folders (for admin)
    1. Use a computer to connect to your Synology NAS via File Station, SMB, AFP, or FTP.
    2. Locate the domain users' home folders. Their folder paths are in the following format:
      Folder Path Example
      \\IP address of your NAS\homes\@DH-domain's NetBIOS name\folder x2\domain user-Y3 \\10.17.28.174\homes\@DH-SYNO\0\administrator-500
      15.png

Configure access privileges to DSM services

Adopt either of the methods below to grant domain users/groups to access services4 on your Synology NAS.

  • Method 1
    1. Go to Control Panel > Domain/LDAP and click the Domain User or Domain Group tabs.
    2. Select a domain user/group and click Edit > Applications.
    3. Configure the privileges and save the settings.
      16.png
  • Method 2
    1. Go to Control Panel > Application Privileges (DSM 7) or Privileges (DSM 6.2).
    2. Select a service and click Edit > User or Group.
    3. Select Domain users or Domain groups from the drop-down menu.
    4. Configure the privileges and save the settings.
      17.png

Notes:

  1. There are also a few options needed for specific domain environments:
    • DC IP/FQDN: You can specify a domain controller's (DC) IP address or an FQDN, and your Synology NAS will try to communicate with it. If you wish to enter multiple IP addresses or FQDNs in this field, please insert a comma (,) between each one. You can also add an asterisk (*) after the last DC's IP address/FQDN so that your Synology NAS will try to communicate with other DCs if it fails to communicate with the specified ones. Please note that the asterisk should be separated from the last IP address/FQDN by a comma as well.
    • Domain NetBIOS name: Specify the NetBIOS name of the domain, e.g., "SYNO".
    • Domain FQDN (DNS name): Specify the FQDN (DNS name) of the domain, e.g., "SYNO.INC".
  2. The "X" within "folder X": It's a number generated by the Synology NAS.
  3. The "Y" within the user's home folder name "domain user-Y": The numeral suffix "Y" is a relative identifier (RID). It's assigned by the domain controller and used to prevent users from viewing private data owned by others. For example, if a domain user "sophie" is deleted and re-created, the new "sophie" will receive a different RID number and will not inherit the access permission to the old "sophie" home folder.
  4. Not all DSM services can be accessed by domain users, such as SSH service.
Purpose
Contents
Resolution
What are Active Directory Domain Services?
Join your Synology NAS to an AD domain
Manage access privileges to DSM resources