Synology RS422 Synology Directory Server Administrator s Guide for DSM 7.1
Synology RS422 Manual
View all Synology RS422 manuals
Add to My Manuals
Save this manual to your list of manuals |
Synology RS422 manual content summary:
- Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 1
Administrator's Guide for Synology Directory Server Based on DSM 7.1 and Synology Directory Server 4.10 1 - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 2
01 About Synology Directory Server Synology Directory Essentials Compatibility and Limitations Install Synology Directory Server Records View and Manage Event Logs Add Firewall Rules to Secure Directory Service Chapter 4: Manage Domain Objects 20 View Domain Objects Manage OUs Manage - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 3
Chapter 6: Configure Group Policies 41 Configure Default Domain Policies Use RSAT to Manage Group Policies Chapter 7: Maintain and Recover Directory Service 49 Ensure Uninterrupted Directory Service via Synology High Availability Back Up and Restore Directory Service via Hyper Backup - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 4
Synology Directory Server Synology Directory Server provides a centralized platform for account and resource management services powered by Samba schema. It supports structure. Synology Directory Essentials This section provides an overview of Synology Directory service to guide you through - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 5
Domain functional level: Equal to Windows Server 2008 R2. • Synology Directory Server must work with the DNS Server package. • Synology Directory Server is not compatible with configurations of other domain/LDAP services. • Supported domain clients: • Windows 7 and above • macOS • Linux 02 Chapter - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 6
Synology NAS models. • Limitations: • Supports a single domain only. • The hostname of the Synology NAS that functions as the DC cannot be changed after Synology it to enhance performance, go to Control Panel > File Services > SMB > Advanced Settings > Enable server signing, select Disable, - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 7
and click Install. Follow the onscreen instructions to complete the installation process. Chapter 1: Introduction Note: • Before installing Synology Directory Server, you can set up a Synology High Availability cluster to ensure an uninterrupted directory service. Knowledge Center Refer to our - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 8
controller (RWDC) or a read-only domain controller (RODC), depending on your deployment. Understand Deployment Methods Refer to the image below for the four deployment methods supported on Synology Directory Server. Then refer to the subsequent table for more information about the methods. 05 - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 9
NAS. • The original domain clients can keep domain services by setting the Synology NAS as their DNS server. Join your Synology NAS to an existing domain created by Synology Directory Server. Join your Synology NAS to an existing domain created by Synology Directory Server or Windows AD. Set up your - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 10
name: Enter the FQDN of the Windows domain you want to migrate to Synology Directory Server. • DNS server: Enter the IP address of a DNS minor issues need to be resolved. Such issues may result in domain service abnormalities. Click Details and fix the issues according to the recommended actions - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 11
option will set up your Synology NAS as a RWDC. • Add a read-only domain controller: This option will set up your Synology NAS as a RODC. minor issues need to be resolved. Such issues may result in domain service abnormalities. Click Details and fix the issues according to the recommended actions. - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 12
DC=syno,DC=local: The DC is deployed in the domain "syno.local". PDC Emulator • The PDC Emulator role holder provides time synchronization services for Kerberos authentication, recording password updates performed by other DCs within a domain. • There is only one holder of this role for each domain - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 13
Roles RID Master • The Relative ID (RID) Master role holder answers RID pool requests from all DCs within a domain so that DCs can add domain objects. • There is only one holder of this role for each domain, and the holder must be a RWDC. Infrastructure Master • The role holder is responsible for - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 14
from the other RWDC to the current one. • Seize role: Take the role of the other RWDC by force. Seizing roles may cause synchronization problems between RWDCs. We suggest using this mode only when the original FSMO role owner is unexpectedly and permanently offline. 4. Select the role to take from - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 15
Chapter 3: Manage the Domain Only RWDCs can add password replication policies; RODCs can only view the policies that have been added. 1. On a RWDC, go to the Users & Computers page. 2. Click on the left of the OU to expand the domain objects, and do either of the following: • Method 1: a. Click - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 16
Chapter 3: Manage the Domain 3. Use the Inspector feature to make sure that the objects are in the intended allowed or denied list. Note: • If a user account is on both the allowed list and the denied list, the user account password will not be replicated (i.e., the denied list takes precedence). - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 17
Prepopulate Passwords Once you have added user accounts to the allowed list of a password replication policy, you can prepopulate the user account passwords for a RODC. This allows the passwords to be replicated to the RODC before the users sign in for the first time. 1. On a RWDC, go to the Users & - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 18
Submit. Note: • The DC that holds the FSMO roles cannot be demoted. • Domain services will be removed if the last DC in the domain is demoted. • If you sign delete the relevant data. Change the IP Address of a DC Synology Directory Server is generally set up with a static IP address. But sometimes you - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 19
domain names (e.g., "pc1.syno.local") into corresponding IP addresses (e.g., "192.168.1.5"). This function is essential for maintaining Synology Directory Server's domain service. A/AAAA Resource Records A and AAAA are both DNS resource records for resolution between domain names and IP addresses - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 20
point to the IP address of the Synology NAS where a domain is created. This ensures that Synology Directory Server delivers services successfully. However, A/AAAA resource records may the records to keep track of Synology Directory Server's connection information and troubleshoot possible issues. 17 - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 21
to efficient management, security is always one of the greatest concerns for Synology Directory administrators. Adding firewall rules secures your directory service from unauthorized logins and allows you to control service access. 1. On a RWDC, go to Control Panel > Security > Firewall. 2. Tick the - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 22
Source IP section, choose Specific IP and click Select. 8. Enter an IP address or an IP range to specify the local area network where Synology Directory Server is running. Confirm the information and click OK. 9. Under the Action section, select Allow to allow access through the specified ports and - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 23
Server, available resources are created and stored in the form of objects, such as OUs, groups, users, and devices (e.g., computers, printers, and Synology NAS). Only RWDCs can manage domain objects; RODCs can only view domain objects. View Domain Objects Go to the Users & Computers page to view - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 24
Chapter 4: Manage Domain Objects Manage OUs An OU is a container object within a domain where you can add all types of domain objects, including users, groups, computers, and other OUs. OUs organize domain objects into a hierarchy, which is helpful when there are a large number of users, computers, - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 25
Chapter 4: Manage Domain Objects Add Objects to an OU 1. On a RWDC, go to the Users & Computers page, select an OU from the tree list, and select a method to launch the creation wizard: • Method 1: Click Add and select an object type from the drop-down menu. • Method 2: Right-click the specified OU - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 26
the specified OU and select an object type to add. 2. Follow the creation wizard's instructions to add an object. Refer to the sections Add an OU, Add a Group, and applications, or other services deployed in the domain. Default Groups When you establish a domain, Synology Directory Server creates the - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 27
and IAS Servers Members of this group are allowed to use remote access services. Read-Only Domain Controllers All RODCs are included in this group by of this group can make changes to the domain schema. Note: • Synology Directory Server aligns with the functional level of Windows Server 2008 R2. - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 28
Chapter 4: Manage Domain Objects domain. It can also contain user accounts, global groups, and universal groups from any domain or forest. • Global: Global groups are added for user account management. It can contain user accounts and other global groups in the same domain. In practice, we suggest - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 29
Chapter 4: Manage Domain Objects Add Members to Groups Follow either of the following three methods to assign users to groups. Method 1: Add users to groups during the user creation process 1. Follow the steps in Add a User. 2. In the second step of User Creation Wizard, select the groups you want - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 30
Administrator dns-NAS hostname Guest krbtgt Description The administrator account that has full control of Synology Directory Server. It is used for managing the domain and DCs. The DNS service account for the Synology NAS. It is named according to the hostname of the DC (e.g., "dns-MyNAS"). The - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 31
, Force this account to change password at next login is ticked by default. Password strength requirements depend on the password policy configured at Synology Directory Server > Domain Policy. 4. Select the groups you want the user to join and click Next. 5. Confirm the settings and click Done to - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 32
Chapter 4: Manage Domain Objects Import Multiple Users 1. On a RWDC, go to the Users & Computers page and click a container from the tree list you want to add users to. The container can be the container named after your domain (e.g., "SYNO.LOCAL"), the Users container, or an OU. 2. Click Add > - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 33
: This account will be asked to change the password upon next login to Windows or Synology NAS. • Disallow the user to change password: This user will not be able to This option is not recommended unless demands for domain client services take higher priority over password security. • Deactivate this - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 34
is sensitive and cannot be delegated. Enabling this option means that services running on the client devices cannot act on behalf of another directory. • Connect...to: Set a specific remote shared folder on the Synology NAS as a home directory. The remote shared folder will be automatically mounted - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 35
Chapter 4: Manage Domain Objects Assign a Roaming Profile for a Single User Assigning roaming profiles allows domain users to access their files when they sign in to different computers joined to the domain. Before assigning a roaming profile to a user, you must create a shared folder and join at - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 36
Chapter 4: Manage Domain Objects 7. Click Done to save the settings. 8. Go back to Synology Directory Server > Users & Computers > Users. 9. Do either of the following: • Select a user and click Action > Properties. • Right-click a user and select Properties. 10. Go to - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 37
-joined Windows PC with the specified domain user account, the Windows PC will automatically create a corresponding roaming profile in the remote shared folder on the Synology NAS (the folder name will be "username.V6"). When the user signs out from the PC, the data will be synced back to the - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 38
Chapter 4: Manage Domain Objects 6. Enter the path of the shared folder (or a folder under the shared folder) you want to mount as a network drive in the following format. \\IP address of NAS\(shared) folder name 7. Click OK to save the settings. 8. Sign in to the domain-joined Windows PC using this - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 39
Chapter 4: Manage Domain Objects Manage Computers The devices joined to a domain (e.g., workstations, servers, printers, and Synology NAS) are referred to as computers and can be deployed for user group access. Edit Computer Properties 1. On a RWDC, go to the Users & Computers page - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 40
of domain account and password. Join Windows PCs to a Domain PCs running Windows 7 and versions above can be joined to the domain created by Synology Directory Server. Here we use a Windows 10 PC as the example. 1. Go to Windows Start icon > Settings > Network & Internet > Status > Change adapter - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 41
3. At the Networking tab, select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Chapter 5: Join Devices to a Domain 4. Tick Use the following DNS server addresses, enter the IP address of the DC in the Preferred DNS server field, and click OK to save the settings. 5. Go to Windows - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 42
Chapter 5: Join Devices to a Domain 6. At the Computer Name tab, click Change... 7. Under Member of, click Domain and enter the name of the domain you want this computer to join. Click OK after you have confirmed the settings. 8. Enter the domain administrator's credentials in the following username - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 43
minor issues need to be resolved. Such issues may result in domain service abnormalities. Click Details and fix the issues according to the recommended actions. precondition check with no critical issues left, click OK to join your Synology NAS to the domain. 6. If necessary, click Edit to configure - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 44
The policies can be used to define restrictions on common actions, deploy services on domain-integrated devices, manage updates, and ensure a consistent working burden of domain administration. Here we'll guide you through how to use Synology Directory Server and Windows Remote Server Administration - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 45
using reversible encryption: Enabling this option will compromise domain security. This option is not recommended unless demands of domain client services take higher priority over password security. Account Lockout Policy • Lockout threshold: User accounts will be locked out when the number - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 46
you have created a shared folder and granted sufficient permissions to all domain users on the Synology NAS acting as the RWDC. Refer to Step 1 to Step 7 of Assign a Roaming Profile for a Single User for detailed instructions. 2. Sign in to a domain-joined Windows PC as a domain administrator. 43 - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 47
Chapter 6: Configure Group Policies 3. Go to Windows Control Panel > System and Security > Administrative Tools > Group Policy Management. 4. Go to Forest: domain name > Domains > Domain name > Default Domain Policy. 5. At the Settings tab, right-click to open the context menu, and click Edit. 6. Go - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 48
Chapter 6: Configure Group Policies 8. Configure the settings as below: a. Switch to the Target tab. b. Select Basic - Redirect everyone's folders to the same location. c. Enter the information needed in Target folder location and Root Path. d. Click OK. 9. The roaming profiles of domain users will - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 49
sufficient permissions (read permissions required at minimum) to all domain users on the Synology NAS acting as the RWDC. Refer to Step 1 to Step 7 of Assign a Roaming Profile for a Single User for detailed instructions. 2. Sign in to a domain-joined Windows PC as a domain administrator. 3. Go to - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 50
Chapter 6: Configure Group Policies 6. In the console tree, go to User Configuration > Preferences > Windows Settings > Drive Maps. Right-click in the right-hand pane and click New > Mapped Drive. 7. Configure the following settings and click OK: • Action: Select Create from the drop-down menu. • - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 51
Chapter 6: Configure Group Policies 8. After the configuration, users will see the network drive mounted on this computer when they sign in via any domain user accounts. Note: • It is not necessary to enter a User name and Password under the Connect as (optional) section because Windows will mount - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 52
" and the other server acts as a standby "passive server". This server layout solution is designed to reduce service interruptions caused by server malfunctions. Refer to Synology High Availability's guide for details on the components and concepts of a high-availability cluster. System Requirements - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 53
Create high-availability cluster and follow the wizard's instructions to complete the setup (refer to the help articles for details). 4. Install Synology Directory Server and set up a domain. 5. Go to Synology High Availability > Service. 6. Tick Synology Directory Server and click Apply to save the - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 54
Service Back Up and Restore Directory Service via Hyper Backup Hyper Backup offers the following features and lets you back up and restore data and settings of Synology system configurations, shared folders, applications, and packages) manually or automatically. • Store backup tasks in local shared - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 55
. Restore a Data Backup Hyper Backup allows you to recover your directory once errors occur to Synology Directory Server. You can also migrate Synology Directory service to another Synology NAS via service restoration in Hyper Backup. 1. Launch Hyper Backup. 2. Click on the upper-left corner, and - Synology RS422 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 56
Chapter 7: Maintain and Recover Directory Service synology.com Synology may make changes to specifications and product descriptions at any time, without notice. Copyright © 2022 Synology Inc. All rights reserved. ® Synology and other names of Synology Products are proprietary marks or registered
Administrator's Guide for
Synology Directory Server
Based on
DSM 7.1 and Synology Directory Server 4.10