Synology DS1522 Synology Directory Server Administrator s Guide for DSM 7.1
Synology DS1522 Manual
View all Synology DS1522 manuals
Add to My Manuals
Save this manual to your list of manuals |
Synology DS1522 manual content summary:
- Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 1
Administrator's Guide for Synology Directory Server Based on DSM 7.1 and Synology Directory Server 4.10 1 - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 2
About Synology Directory Server Synology Directory Essentials Compatibility and Limitations Install Synology Directory Server Knowledge Records View and Manage Event Logs Add Firewall Rules to Secure Directory Service Chapter 4: Manage Domain Objects 20 View Domain Objects Manage OUs - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 3
Chapter 6: Configure Group Policies 41 Configure Default Domain Policies Use RSAT to Manage Group Policies Chapter 7: Maintain and Recover Directory Service 49 Ensure Uninterrupted Directory Service via Synology High Availability Back Up and Restore Directory Service via Hyper Backup - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 4
Directory Essentials This section provides an overview of Synology Directory service to guide you through the knowledge required for performing administrative tasks via Synology Directory Server. Directory Service A directory is a repository containing individual users, groups, locations, and - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 5
, a Synology NAS, etc DSM version requirement: DSM 7.1 and above. • Domain functional level: Equal to Windows Server 2008 R2. • Synology Directory Server must work with the DNS Server package. • Synology Directory Server is not compatible with configurations of other domain/LDAP services. • Supported - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 6
information. Install Synology Directory Server 1. Check the following before installing Synology Directory Server on your Synology NAS: • The network connection of Synology NAS is working properly. • The volume status of your Synology NAS in Storage Manager > Storage is Healthy. • The DSM is updated - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 7
and click Install. Follow the onscreen instructions to complete the installation process. Chapter 1: Introduction Note: • Before installing Synology Directory Server, you can set up a Synology High Availability cluster to ensure an uninterrupted directory service. Knowledge Center Refer to our - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 8
Controller Chapter 2: Set Up a Domain Controller You can set up your Synology NAS as a primary domain controller (PDC) or a secondary domain controller (SDC to the image below for the four deployment methods supported on Synology Directory Server. Then refer to the subsequent table for more information - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 9
can keep domain services by setting the Synology NAS as their DNS server. Join your Synology NAS to an existing domain created by Synology Directory Server. Join your Synology NAS to an existing domain created by Synology Directory Server or Windows AD. Set up your Synology NAS as a RODC that - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 10
minor issues need to be resolved. Such issues may result in domain service abnormalities. Click Details and fix the issues according to the recommended actions (.). • Domain name cannot be the same as the server name of your Synology NAS. • The maximum length is 64 characters. Password Strength - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 11
Synology Directory Server. 1. Launch Synology Directory Server. 2. Select a deployment method: • Add a domain controller to an existing domain: This option will set up your Synology NAS to be resolved. Such issues may result in domain service abnormalities. Click Details and fix the issues according - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 12
(DN) Roles Domain Controller Primary domain controller • The server that holds the PDC Emulator role and other Flexible Single PDC Emulator • The PDC Emulator role holder provides time synchronization services for Kerberos authentication, recording password updates performed by other DCs within - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 13
Roles RID Master • The Relative ID (RID) Master role holder answers RID pool requests from all DCs within a domain so that DCs can add domain objects. • There is only one holder of this role for each domain, and the holder must be a RWDC. Infrastructure Master • The role holder is responsible for - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 14
from the other RWDC to the current one. • Seize role: Take the role of the other RWDC by force. Seizing roles may cause synchronization problems between RWDCs. We suggest using this mode only when the original FSMO role owner is unexpectedly and permanently offline. 4. Select the role to take from - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 15
Chapter 3: Manage the Domain Only RWDCs can add password replication policies; RODCs can only view the policies that have been added. 1. On a RWDC, go to the Users & Computers page. 2. Click on the left of the OU to expand the domain objects, and do either of the following: • Method 1: a. Click - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 16
Chapter 3: Manage the Domain 3. Use the Inspector feature to make sure that the objects are in the intended allowed or denied list. Note: • If a user account is on both the allowed list and the denied list, the user account password will not be replicated (i.e., the denied list takes precedence). - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 17
Prepopulate Passwords Once you have added user accounts to the allowed list of a password replication policy, you can prepopulate the user account passwords for a RODC. This allows the passwords to be replicated to the RODC before the users sign in for the first time. 1. On a RWDC, go to the Users & - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 18
be demoted. • Domain services will be removed if Synology NAS that is running Synology Directory Server. 1. Back up Synology Directory Server with Hyper Backup. 2. Change the IP address of the Synology NAS. 3. Confirm and update the resource records in DNS Server. 4. Restart Synology Directory Server - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 19
DNS Auto Registering When a client successfully joins the domain created by Synology Directory Server, the server will automatically register or update an A resource record (and an AAAA resource record if IPv6 is enabled) to the DNS service on DSM, mapping the hostname of the client to an IP address - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 20
the IP address of the Synology NAS where a domain is created. This ensures that Synology Directory Server delivers services successfully. However, A/AAAA resource records may not correctly point to the Synology NAS during the following circumstances: • The Synology NAS undergoes a change in its IP - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 21
) checkbox. This may affect the database performance of your Synology Directory Server. Manage Logs • Go to the upper-right search bar for Synology Directory administrators. Adding firewall rules secures your directory service from unauthorized logins and allows you to control service access. - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 22
built-in applications, and click Select. 6. Select DNS Server, Synology Directory Server, and Windows file server. Click OK. 7. Under the Source IP section, choose an IP range to specify the local area network where Synology Directory Server is running. Confirm the information and click OK. 9. Under - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 23
Objects Chapter 4: Manage Domain Objects In a domain hosted by Synology Directory Server, available resources are created and stored in the form of objects, such as OUs, groups, users, and devices (e.g., computers, printers, and Synology NAS). Only RWDCs can manage domain objects; RODCs can only - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 24
Chapter 4: Manage Domain Objects Manage OUs An OU is a container object within a domain where you can add all types of domain objects, including users, groups, computers, and other OUs. OUs organize domain objects into a hierarchy, which is helpful when there are a large number of users, computers, - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 25
Chapter 4: Manage Domain Objects Add Objects to an OU 1. On a RWDC, go to the Users & Computers page, select an OU from the tree list, and select a method to launch the creation wizard: • Method 1: Click Add and select an object type from the drop-down menu. • Method 2: Right-click the specified OU - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 26
the specified OU and select an object type to add. 2. Follow the creation wizard's instructions to add an object. Refer to the sections Add an OU, Add a Group, and , or other services deployed in the domain. Default Groups When you establish a domain, Synology Directory Server creates the following - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 27
Members of this group are allowed to use remote access services. Read-Only Domain Controllers All RODCs are included in this group by default. Schema Admins Members of this group can make changes to the domain schema. Note: • Synology Directory Server aligns with the functional level of Windows - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 28
Chapter 4: Manage Domain Objects domain. It can also contain user accounts, global groups, and universal groups from any domain or forest. • Global: Global groups are added for user account management. It can contain user accounts and other global groups in the same domain. In practice, we suggest - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 29
Chapter 4: Manage Domain Objects Add Members to Groups Follow either of the following three methods to assign users to groups. Method 1: Add users to groups during the user creation process 1. Follow the steps in Add a User. 2. In the second step of User Creation Wizard, select the groups you want - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 30
hostname Guest krbtgt Description The administrator account that has full control of Synology Directory Server. It is used for managing the domain and DCs. The DNS service account for the Synology NAS. It is named according to the hostname of the DC (e.g., "dns-MyNAS"). The account for guest access - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 31
Force this account to change password at next login is ticked by default. Password strength requirements depend on the password policy configured at Synology Directory Server > Domain Policy. 4. Select the groups you want the user to join and click Next. 5. Confirm the settings and click Done to add - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 32
Chapter 4: Manage Domain Objects Import Multiple Users 1. On a RWDC, go to the Users & Computers page and click a container from the tree list you want to add users to. The container can be the container named after your domain (e.g., "SYNO.LOCAL"), the Users container, or an OU. 2. Click Add > - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 33
This account will be asked to change the password upon next login to Windows or Synology NAS. • Disallow the user to change password: This user will not be able to This option is not recommended unless demands for domain client services take higher priority over password security. • Deactivate this - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 34
is sensitive and cannot be delegated. Enabling this option means that services running on the client devices cannot act on behalf of another directory. • Connect...to: Set a specific remote shared folder on the Synology NAS as a home directory. The remote shared folder will be automatically mounted - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 35
Chapter 4: Manage Domain Objects Assign a Roaming Profile for a Single User Assigning roaming profiles allows domain users to access their files when they sign in to different computers joined to the domain. Before assigning a roaming profile to a user, you must create a shared folder and join at - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 36
Chapter 4: Manage Domain Objects 7. Click Done to save the settings. 8. Go back to Synology Directory Server > Users & Computers > Users. 9. Do either of the following: • Select a user and of the specified user. \\IP address of NAS\shared folder name\%username% 11. Click OK to save the settings. 33 - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 37
Windows PC with the specified domain user account, the Windows PC will automatically create a corresponding roaming profile in the remote shared folder on the Synology NAS (the folder name will be "username.V6"). When the user signs out from the PC, the data will be synced back to the assigned - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 38
path of the shared folder (or a folder under the shared folder) you want to mount as a network drive in the following format. \\IP address of NAS\(shared) folder name 7. Click OK to save the settings. 8. Sign in to the domain-joined Windows PC using this domain user account. The user will - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 39
Chapter 4: Manage Domain Objects Manage Computers The devices joined to a domain (e.g., workstations, servers, printers, and Synology NAS) are referred to as computers and can be deployed for user group access. Edit Computer Properties 1. On a RWDC, go to the Users & Computers page and - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 40
account and password. Join Windows PCs to a Domain PCs running Windows 7 and versions above can be joined to the domain created by Synology Directory Server. Here we use a Windows 10 PC as the example. 1. Go to Windows Start icon > Settings > Network & Internet > Status > Change adapter options, and - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 41
Version 4 (TCP/IPv4) and click Properties. Chapter 5: Join Devices to a Domain 4. Tick Use the following DNS server addresses, enter the IP address of the DC in the Preferred DNS server field, and click OK to save the settings. 5. Go to Windows Start icon > Settings > System > About > System - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 42
Chapter 5: Join Devices to a Domain 6. At the Computer Name tab, click Change... 7. Under Member of, click Domain and enter the name of the domain you want this computer to join. Click OK after you have confirmed the settings. 8. Enter the domain administrator's credentials in the following username - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 43
can sign in to Synology NAS using their domain accounts and passwords. This allows the users to access files and DSM applications without remembering another set of username and password. 1. Go to DSM Control Panel > Domain/LDAP > Domain/LDAP and click Join. 2. Enter the server information and click - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 44
deploy services on domain-integrated devices, manage updates, and ensure a consistent working environment for users. Good management of group policies eases the burden of domain administration. Here we'll guide you through how to use Synology Directory Server and Windows Remote Server Administration - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 45
using reversible encryption: Enabling this option will compromise domain security. This option is not recommended unless demands of domain client services take higher priority over password security. Account Lockout Policy • Lockout threshold: User accounts will be locked out when the number - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 46
> Programs > Turn Windows features on or off, and tick the Remote Server Administration Tools checkbox. 4. Make sure you have joined the current PC to on the Synology NAS acting as the RWDC. Refer to Step 1 to Step 7 of Assign a Roaming Profile for a Single User for detailed instructions. 2. Sign - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 47
Chapter 6: Configure Group Policies 3. Go to Windows Control Panel > System and Security > Administrative Tools > Group Policy Management. 4. Go to Forest: domain name > Domains > Domain name > Default Domain Policy. 5. At the Settings tab, right-click to open the context menu, and click Edit. 6. Go - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 48
Chapter 6: Configure Group Policies 8. Configure the settings as below: a. Switch to the Target tab. b. Select Basic - Redirect everyone's folders to the same location. c. Enter the information needed in Target folder location and Root Path. d. Click OK. 9. The roaming profiles of domain users will - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 49
sufficient permissions (read permissions required at minimum) to all domain users on the Synology NAS acting as the RWDC. Refer to Step 1 to Step 7 of Assign a Roaming Profile for a Single User for detailed instructions. 2. Sign in to a domain-joined Windows PC as a domain administrator. 3. Go to - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 50
Chapter 6: Configure Group Policies 6. In the console tree, go to User Configuration > Preferences > Windows Settings > Drive Maps. Right-click in the right-hand pane and click New > Mapped Drive. 7. Configure the following settings and click OK: • Action: Select Create from the drop-down menu. • - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 51
Chapter 6: Configure Group Policies 8. After the configuration, users will see the network drive mounted on this computer when they sign in via any domain user accounts. Note: • It is not necessary to enter a User name and Password under the Connect as (optional) section because Windows will mount - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 52
is designed to reduce service interruptions caused by server malfunctions. Refer to Synology High Availability's guide for details on the components and concepts of a high-availability cluster. System Requirements Synology High Availability requires two identical Synology NAS with the same system - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 53
-availability cluster and follow the wizard's instructions to complete the setup (refer to the help articles for details). 4. Install Synology Directory Server and set up a domain. 5. Go to Synology High Availability > Service. 6. Tick Synology Directory Server and click Apply to save the settings - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 54
Chapter 7: Maintain and Recover Directory Service Back Up and Restore Directory Service via Hyper Backup Hyper Backup offers the following features and lets you back up and restore data and settings of Synology Directory Server. • Retain up to 65,535 versions of data while storage consumption is - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 55
. Restore a Data Backup Hyper Backup allows you to recover your directory once errors occur to Synology Directory Server. You can also migrate Synology Directory service to another Synology NAS via service restoration in Hyper Backup. 1. Launch Hyper Backup. 2. Click on the upper-left corner, and - Synology DS1522 | Synology Directory Server Administrator s Guide for DSM 7.1 - Page 56
Chapter 7: Maintain and Recover Directory Service synology.com Synology may make changes to specifications and product descriptions at any time, without notice. Copyright © 2022 Synology Inc. All rights reserved. ® Synology and other names of Synology Products are proprietary marks or registered
Administrator's Guide for
Synology Directory Server
Based on
DSM 7.1 and Synology Directory Server 4.10