"Let you easily manage your NAS accounts with AD"
Active Directory® is a Microsoft directory used in the Windows environment to centrally store, share, and manage information and resources on a network. It is a hierarchical data center that centrally stores information about users, user groups and computers for secure access management.
Advantages of joining QNAP NAS to Active Directory:
- Convenient Account Settings: After connecting the NAS to Active Directory, all user accounts from the AD server will be automatically imported to the NAS. AD users can use the same set of usernames and passwords to log in to the NAS. This saves server administrators the time and effort of creating user accounts individually on the NAS.
- Efficient access control: The NAS allows server administrators to configure access permissions (read-only, read/write, or deny access) to shared network folders.
- Advanced Options tab
- Authentication settings
- Refresh the list of domain users and user groups in the web interface
- Notes for Windows 7
To join the Turbo NAS to Active Directory using Windows Server 2008 R2, update the NAS firmware to version 3.2.0 or later.
Follow the steps below to join the Turbo NAS to Active Directory (Windows Server 2008).
Log in to the NAS as an administrator. Go to System Settings > General Settings > Time. The date and time set on the NAS must match the time on the AD server. The maximum allowed time difference is 5 minutes.
Then set the IP address of the primary DNS server to the IP address of the Active Directory server that hosts the DNS service. This must be the IP address of the DNS server used in Active Directory. If you are using an external DNS server, you will not be able to join the domain.
A. Domain NetBIOS name
A. This is your "Ad Server Name"
b. This is your "domain name"
Note: The examples above are based on Windows Server 2008. For Windows Server 2003, check the "AD Server Name" using the figure below.
A. On Windows server 2003 AD server name is "node1" instead of "node1.qnap-test.com"
b. "Domain name" remains the same.
Go to "Permission Settings" > "Domain Security" > "Active Directory Authentication" > "Manual Setup". Enter your AD domain information.
- Set time and DNS information
- Check the AD server name and domain name
- join Active Directory
If joining the AD domain fails, refer to "Setting DNS time and information":
- Check the time difference between the NAS and the domain controller.
- Verify that the DNS server of the NAS is the same as the DNS server of the domain controller. This must be your domain's DNS server. If you are using an external DNS server, you will not be able to join the domain
Advanced Options tab
Go to "Network Services" > "Win/Mac/NFS" > "Microsoft Networking" > "AD Domain Membership" > "Advanced Options".
Note that in most cases, you do not need to enter WINS server settings. In an Active Directory environment, pure DNS name resolution is recommended.
(1) Windows share access: domain_username
(2) FTP: domain name + username
(3) Web file manager: domain name + username
(4) Agence France-Presse: domain name + username
For example, to use a domain user account to access a shared folder through an online file manager, if this option is not enabled, use domain + username for authentication.
If enabled, all services will use the same username format
(1) Windows share: domain_username
(2) FTP: domain username
(3) Internet file manager: domain_username
(4) AFP: domain username
For example, to use a domain user account to access a shared folder via Web File Manager, you must authenticate with your domain username if this option is enabled.
- Enable WINS Server: This option should only be activated if there is no WINS server on the network and some computers are on different subnets. In this case, configure all computers to use this WINS server. Note that there must be only one WINS server on the network. All clients must be configured to use the same WINS server. If you are unsure about this setting, do not enable it.
- Use a specific WINS server: This option should only be activated if there is a WINS server in the network and the NAS should be a WINS client. Enter the IP address of the WINS server
- If you are unsure about this setting, do not enable it.
- Local Master Browser: This option allows the NAS to become the local master browser responsible for maintaining a list of computers on the network for its workgroup. The NAS workgroup must have the same name as the computer's workgroup (often referred to as "workgroup"). This setting is enabled by default. If you disable it, the NAS will not maintain the list of computers, and instead another computer on the network will do so. The default setting is enabled.
- Allow only NTLMv2 authentication: This option allows only NTLMv2 authentication and rejects LM and NTLM authentication. Leave this option unchecked if you are unsure of the settings. If you check this option, make sure that all computers on the network can use NTLMv2.
- Name Resolution Priority: Refers to name resolution on Windows networks. If WINS is enabled (option (1) or (2)), you will be able to choose the name resolution priority. When all WINS settings are disabled, "DNS Only" is the default setting. When WINS is enabled, the default setting is "WINS first, then DNS". If you don't have any problems, keep the default value.
- Login method:
By default, in an Active Directory environment, domain users have usernames of the form:
- DNS auto-registration: If enabled, the NAS will automatically register itself with the domain's DNS server when it joins Active Directory. This will create a DNS host entry for the NAS on the DNS server. If the IP address of the NAS server changes, the NAS server will automatically update the IP address using the DNS server.
To check whether the NAS has been successfully joined to Active Directory, go to "Permission Settings" > "Users" or "User Groups". The list of users and groups will appear in the Domain Users and Domain Groups lists, respectively.
Refresh the list of domain users and user groups in the web interface
If you have created new users or user groups in the domain, you can click Reload. This will reload the user and user group lists from Active Directory to the NAS. This process is performed only for web interface user lists. User permission settings are synchronized with domain controllers in real time.
- After adding the NAS to Active Directory, local NAS users who have AD server access rights need to log in with "NAS_name username"; AD users should use their own usernames to login to the AD server (domain_username).
- Allow local NAS users and AD users (using domain name and username) to access the NAS via AFP, FTP, and Web File Manager with firmware 3.2.0 or later. However, with firmware prior to 3.2.0, only local NAS users can access the Web Filer.
- To log in to the NAS using Windows Explorer, use "DomainUsername" as the login name.
- To log in to AFP, FTP, and Web File Manager services, use "domain name + user name" as the login name.
- Only local users and groups have access to WebDAV.
- For TS-109/209/409/509 series, if the AD server is based on Windows 2008, update the NAS firmware to version 2.1.2 or later.
- To log in to the NAS via AFP, FTP and Web filer services, use "Domain + Username" as the login name. To be able to use the standard Windows login format (DOMAIN USERNAME), you must enable the "Login Style" option in the "Advanced Options" tab in "Microsoft Networking" (see above).
Notes for Windows 7
If you are using a Windows 7 computer that is not part of Active Directory to access the NAS with firmware older than 3.2.0 and you are also a member of AD domain, please change the security settings of the client computer as follows.
- In Windows 7, go to Control Panel > All Control Panel Items and select Administrative Tools.
- Select "Local Security Policy".
- Go to Local Policies > Security Options. Then select Network Security: LAN Manager Authentication Level.
- Select the Local Security Settings tab, then select Send LM and NTLMv2 - Use NTLMv2 Session Security if negotiated from the list. Then click OK.
After configuring the settings in Windows 7, you will be able to access your NAS from there, even if your NAS is a member of an Active Directory domain.