How can I connect my QNAP NAS to Microsoft Active Directory (AD)? (2023)

"They allow you to easily manage your NAS accounts using AD"

show
Active Directory® is the Microsoft directory used in the Windows environment to centrally store, share, and manage information and resources on the network. It is a hierarchical data center that centrally stores information about users, user groups, and computers for secure access management.

Advantages of connecting QNAP NAS to Active Directory:

1. Convenient account settings: By connecting the NAS to Active Directory, all user accounts from the AD server will be automatically imported to the NAS. AD users can use the same set of usernames and passwords to log in to the NAS. This saves server administrators time and effort to create user accounts one by one on the NAS.
2. Effective access control: NAS allows server administrators to configure access rights (read only, read/write or deny access) to shared network folders.

• prerequisites
• Advanced settings tab
• Authentication settings
• Update the list of domain users and user groups in the web interface
• Notes for Windows 7

prerequisites

To connect the Turbo NAS to Active Directory using Windows Server 2008 R2, you must update the NAS firmware to version 3.2.0 or later.
Follow the steps below to connect the Turbo NAS to Active Directory (Windows Server 2008).

Log in to the NAS as an administrator. Go to System Settings > General Settings > Time. The date and time set on the NAS must match the time on the AD server. The maximum allowed time difference is 5 minutes.

Next, set the IP address of the primary DNS server to the IP address of the Active Directory server that hosts the DNS service. Must be the IP address of the DNS server used for Active Directory. If you use an external DNS server, you will not be able to join the domain.

a. NetBIOS domain name

a. This is your "ad server name".
b. This is your "domain name".

Note: The above examples are based on Windows Server 2008. For Windows Server 2003, please check the "AD Server Name" by referring to the image below.

a. On Windows 2003 server, AD server name is "node1" instead of "node1.qnap-test.com"
b) "Location Name" remains the same.

Go to Privilege Settings > Domain Security > Active Directory Authentication > Manual Configuration. Enter the AD domain information.

1. Set time and DNS information
2. Check the AD server name and domain name
3. deltage i Active Directory

noting:
If joining the AD domain fails, select "Set time and DNS information":

• Check the time difference between the NAS and your domain controller.
• Check if the DNS server of your NAS is the same as the DNS of your domain controller. It should be your domain's DNS server. If you use an external DNS server, you will not be able to join the domain

Advanced settings tab

Go to "Network Services" > "Win/Mac/NFS" > "Microsoft Networks" > "AD Domain Members" > "Advanced Settings".

Victory Support:
Note that in most cases it is not necessary to enter the WINS server settings. In an Active Directory environment, pure DNS name resolution is recommended.

(1) Windows share access: domain username
(2) FTP: domain name + username
(3) Web File Manager: domain name + username
(4) Agence France-Presse: domain name + username

For example, to use a domain user account to access a shared folder through Web File Manager, if the option is not enabled, use domain + username to authenticate.
If this option is enabled, all services will use the same username format

(1) Windows share: domain username
(2) FTP: domain username
(3) Web File Manager: domain username
(4) AFP: domain username

For example, to use a domain user account to access shared folders through Web File Manager, you must authenticate with a domain username if this option is enabled.

1. Enable WINS Server: You only need to enable this option if you do not have a WINS server on your network and some of your computers are on different subnets. In this case, you must configure all computers to use this WINS server. Note that there can only be one WINS server on the network. All clients must be configured to use the same WINS server. If you are unsure about this setting, do not enable it.
2. Use Specified WINS Server: This option should only be enabled if you have a WINS server on your network and your NAS needs to be a WINS client. Enter the IP address of the WINS server
3. If you are unsure about this setting, do not enable it.
4. Local Master Browser: This option allows the NAS to become a local master browser responsible for maintaining a list of computers on the network for its workgroup. The NAS workgroup must have the same name as your computer's workgroup (often referred to as "workgroup"). This option is enabled by default. If you disable it, the NAS will not maintain the list of computers and another computer on the network will. The default setting is enabled.
5. Allow only NTLMv2 authentication: This option allows only NTLMv2 authentication and rejects LM and NTLM. Leave this option unchecked if you are unsure of the settings. If you enable this option, you must ensure that all computers on the network can use NTLMv2.
6. Name Resolution Priority: Refers to name resolution on Windows networks. If WINS is enabled (option (1) or (2)), you will be able to select the name resolution priority. When all WINS settings are disabled, the default setting is "DNS Only". When WINS is enabled, the default setting is "WINS first, then DNS". If you have no problems, keep the default value.
7. Connection method:
   By default, domain users in an Active Directory environment have usernames of the form:
8. Auto Register to DNS: If this option is enabled, the NAS will automatically register to the domain's DNS server when it joins Active Directory. This will create a DNS host entry for the NAS on the DNS server. If the NAS IP changes, the NAS will automatically update the IP with the DNS server.

Authentication settings

To check if the NAS is connected to Active Directory, go to "Privilege Settings" > "Users" or "User Groups". A list of users and groups appears under Domain Users and Domain Groups respectively.

Update the list of domain users and user groups in the web interface

If you have created new users or user groups in the domain, you can click the Reload button. This will reload the user and user group lists from Active Directory to the NAS. This process is only performed for web interface user lists. User permission settings are synchronized with domain controllers in real time.

noting:

• After adding the NAS to Active Directory, local NAS users with access rights to the AD server must log in with "NAS_name username". AD users must use their own usernames to log in to the AD server (domain username).
• Allow local NAS users and AD users (using domain name and username) to access the NAS via AFP, FTP and Web File Manager with firmware 3.2.0 and above. However, with firmware prior to 3.2.0, only local NAS users can access web files.
• To connect to the NAS through Windows Explorer, use "DomainUsername" as the login name.
• To connect to AFP, FTP and Web File Manager services, use "domain name + username" as the login name.
• WebDAV is only accessible by local users and groups.
• For TS-109/209/409/509 series, if the AD server is based on Windows 2008, the NAS firmware must be updated to version 2.1.2 or later.
• To connect to the NAS via AFP, FTP and Web file services, use "Domain + Username" as the login name. To be able to use the standard Windows logon format (DOMAINUSERNAME), enable the "Login Style" option in the "Advanced Settings" tab in "Microsoft Networks" (see above).

Notes for Windows 7

If you are using a Windows 7 computer that is not part of Active Directory to access a NAS with pre-3.2.0 firmware and is also a member of the AD domain, you need to change the client computer's security settings as follows.

1. In Windows 7, go to Control Panel > All Control Panel Items and select Administrative Tools.
2. Select "Local Security Policy".
3. Go to Local policies > Security settings. Then select Network Security: LAN Manager Authentication Level.
4. Select the Local Security Settings tab, then select Send LM and NTLMv2 - use NTLMv2 session security if negotiated from the list. Then click OK.

After configuring the settings in Windows 7, you will be able to access your NAS from it, even if your NAS is a member of an Active Directory domain.