QNAP Turbo NAS Software User Manual

Domain Controller

Domain Controller

Previous topic Next topic No directory for this topic  

Domain Controller

Previous topic Next topic Topic directory requires JavaScript JavaScript is required for the print function Mail us feedback on this topic!  

The Turbo NAS can now act as a domain controller for Windows. IT administrators can easily configure the Turbo NAS as the centerpiece of domain directory services for their organization to store user account information, manage user authentication and enforce security for a Windows domain.

 

Note: This function is only applicable to some models.

 

Domain Controller

 

Three domain controller modes are available for the Turbo NAS:

Domain Controller: Only a domain controller can create a domain and the first NAS that creates the domain must be a domain controller. In this mode, the NAS can create and authenticate users.
Additional Domain Controller: In case more than one domain controller is needed, you can choose this mode to add additional domain controllers. The NAS set as an additional domain controller will then act as a domain controller and can create and authenticate users.
Read-Only Domain Controller: To accelerate the user authentication process on specific sites, it is possible to enable a Read-Only domain controller. Users can be authenticated by this NAS, but it will not be able to create a domain user.

 

To set the NAS as a domain controller,  follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Domain Controller" tab.
2.Select a domain controller mode from the drop down list.
3.Specify a domain (example: mydomain.mycompany.local.)
4.Fill out the administrator password and the same password again in the "Verify Password" field.
5.Click "Apply".

 

After a domain controller is enabled, only the domain users can connect to Microsoft Networking shared folders. Please be sure to grant shared folder permissions to domain users and groups.

 

Note: The NAS can only act as either a domain controller or LDAP server. If the option "Enable Domain Controller" is grayed out, please disable the LDAP Server in "Control Panel" > "Applications" > "LDAP Server" first.

 

Users

 

You can create or delete domain user accounts or manage their membership here.

 

Creating a user

To create a domain user, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Users" tab.
2.Click "Create" > "Create a User".
3.Follow the instructions of the wizard to complete the details.

 

Creating multiple users

To create multiple domain users, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Users" tab.
2.Click "Create" > "Create Multiple Users".
3.Click "Next".
4.Enter the name prefix, e.g. test. Enter the start number for the username, e.g. 0001 and the number of users to be created, e.g. 10. The NAS creates ten users named test0001, test0002, test0003…test0010. The password entered here is the same for all the new users.
5.Select to create a private shard folder for each user or not. The shared folder will be named after the username. If a shared folder of the same name has already existed, the NAS will not create the folder.
6.Specify the folder settings.
7.You can view the new users created in the last step. Click "Finish" to exit the wizard.
8.Check that the users have been created.
9.Check that the shared folders have been created for the users.

 

Batch importing users

To batch import domain users, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Users" tab.
2.Click "Create" > "Batch Import Users".
3.Select the option "Overwrite existing users" to overwrite existing domain users (or leave this option unchecked if you want to import domain users without overwriting exist ones.) Click "Browse" and select a CSV file which contains the user information in the following format (account, password, description and email.) For steps to create a CSV file, refer to the next section Creating a CSV File (Excel).
4.Click "Next" to import the users and "Finish" after the users have been created.
5.The imported user accounts will be shown.

 

Note:

The password rules (if applicable) will not be applied when importing the users.
The account and password fields can not be empty for an account.

 

Creating a CSV file (Excel)

1.Open a new file with Excel.
2.Enter an user's information in the same row in the following order:
oColumn A: Account
oColumn B: Password
oColumn C: Description
oColumn D: Email
3.Go to the next row and repeat the previous step to create another user account. Each row indicates one user's information. Save the file in CSV format.
4.Open the CSV file with Notepad and save it in UTF-8 encoding if it contains double-byte characters.

 

Deleting users

To delete a domain user account, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Users".
2.Select the user account(s) to be deleted.
3.Click "Delete".
4.Click "Yes".

 

User account management

Refer to the following table for available buttons under "Action" and their explanations:

Button

Name

Description

Edit Password

Edit the password of a domain user account.

Edit User Properties

Specify whether the domain user must change the password at the first login, account expiration date, description and email.

Edit Group Membership

Choose which domain group(s) the domain user belongs to.

Edit User Profile

Specify the profile path, login script, and home folder of an domain user account.

 

For user profiles:

Profile path: Specify the shared folder where the roaming profiles are stored. The path specified can be a shared folder name such as /home or /user1profile, or a UNC path such as \\nas.mydomain.local\home.
Login script: Specify the logon script to execute when a domain user logs on from a PC member of the domain. Copy the script to the shared folder (sysvol) in the subfolder {your_domain}\scripts by connecting to the share \\NAS\netlogon with the domain administrator, and then you can directly specify the script filename.
Home: Specify the drive letter and a shared folder that is mapped to the drive letter when the domain user logs on to the domain with the domain username and password. The path specified can be a shared folder name such as /home or /user1profile, or a UNC path such as \\nas.mydomain.local\home.

 

Groups

 

To enhance security control, you can create domain user groups. A domain user group is a collection of domain users who share the same access rights to files and folders.

 

Creating domain user groups

To create a domain user group, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Groups" tab.
2.Click "Create a User Group".
3.Select "Yes" and "Next" to assign domain user(s) to the group or "No" to create a domain group without domain users.
4.Click "Finish".

 

Deleting domain user groups

To delete a domain user group, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Groups" tab.
2.Select user group(s) and click "Delete".

 

Note: It is advised not to delete the default existing group of the domain.

 

Editing group members

To edit domain members within a group, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Groups" tab.
2.Click the "Edit Group Membership" button under "Action".
3.Select and check domain users to join them to the group or uncheck existing domain users to remove them from the group.
4.Click "Next".

 

Computers

 

All computers that have already joined the domain will be listed here, and with permissions granted, they can access the list of domain resources (such as the domain users and groups.) The computer accounts are created automatically after the computers or NAS joins the domain, and administrators can manually create or delete computer accounts.

 

Creating computer accounts

To create a domain computer account, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Computers" tab.
2.Click "Create a Computer".
3.Fill out the computer name, description and location and click "Next".
4.Choose the group(s) for the computer account and click "Next".
5.Click "Create".

 

Deleting computer accounts

To delete a domain user group, follow the steps below:

1.Go to "Control Panel" > "Privilege Settings" > "Domain Controller" > "Groups" tab.
2.Select the computer account(s) and click "Delete".
3.Click "Delete".

 

Computer account management

Refer to the following table for available buttons under "Action" and their explanations:

Button

Name

Description

Edit Computer Properties

Edit the description and location of the computer account.

Edit Group Membership

Choose to add the computer account to the user group(s) or remove it from the user group(s).

 

DNS

 

The Domain Name System, or DNS, can help the domain controller locate services and devices within the domain (or vice versa) using service and resource records. Two DNS zones are created by default (the domain created when you first set up the NAS as the domain controller and the zone with a name starting with _msdcs.) System administrators can modify DNS settings, add/delete domains, and add/delete records.

 

Modifying DNS settings

To edit a DNS setting, first go to "Control Panel", Privilege Settings" > "Domain Controller" > "DNS tab" and log in with the administrator username and password, and the DNS settings will appear. Follow the steps below:

1.Click the setting to be modified
2.Edit the properties of the setting (type and value), adjust the order of the value with the green up-arrow or down-arrow button, or delete the value with the red "X" button.
3.Click "Apply" to save the changes.

 

Adding domains

To add a domain, first go to "Control Panel", Privilege Settings" > "Domain Controller" > "DNS tab" and log in with the administrator username and password. Follow the steps below:

1.Click "Action" > "Add Domain".
2.Enter the domain name and click "Create".

 

Adding records

To add a record, first go to "Control Panel", Privilege Settings" > "Domain Controller" > "DNS tab" and log in with the administrator username and password. Follow the steps below:

1.Select a domain
2.Click "Action" > "Add Record".
3.Enter the record properties and click "Create".

 

Note: Only the following types of records are supported: A, AAAA, PTR, CNAME, NS, MX, SRV, TXT.

 

Deleting domains or records

To delete a record, first go to "Control Panel", Privilege Settings" > "Domain Controller" > "DNS tab" and log in with the administrator username and password. Follow the steps below:

1.Select a domain or record
2.Click "Action" > "Delete".
3.Click "Yes".

 

Backup/Restore

 

The domain controller status can be backed up or restored using the backup/restore function. Only the first domain controller needs to be backed up. In an AD environment where more than one domain controller presents,  there are some restrictions and limitations associated with the restore procedures. Please check the restore function carefully.

 

Backing up domain controllers

To back up the domain controller status, follow the steps below:

1.Go to "Control Panel", Privilege Settings" > "Domain Controller" > "Backup/Restore tab"
2.Check "Back up Database" and set the backup frequency, starting time, destination folder and backup options (choose to overwrite existing backup file or create a new file.)
3.Click "Apply"

 

Restoring domain controllers

Please note that the current settings, including users, groups and domain controller settings, will be overwritten and all changes made since the last backup will be lost. So, please be specially careful when you restore domain controllers.

 

To restore the domain controller in a single domain controller environment, follow the steps below:

1.Go to "Control Panel", Privilege Settings" > "Domain Controller" > "Backup/Restore tab" > scroll down to the "Restore ADDC Database" section.
2.Click "Browse" and select the backup file.
3.Click "Import".

 

If the domain controller you try to restore is in an environment with more than one domain controllers, do not restore from the backup, as this will corrupt the domain controller database. Simply add the NAS back as a domain controller, and it will synchronize with the existing domain controller. If no other domain controllers are online, restore only the first domain controller, and join the other NAS servers as the domain controller back. To restore a domain to a previous state with multiple domain controllers, first disable the domain controller feature on all NAS servers, restore only the first domain controller, and join the other NAS servers as domain controller back.

 


© 2015 QNAP Systems, Inc. All Rights Reserved.