Synology Active Directory Server Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi I'm Willie with h.5 technology welcome to my channel thank you for being here and I appreciate each and every one of you today we are gonna look at Active Directory on our Synology now for a small office it could be very price price prohibitive to have a Microsoft Windows server and the Synology can actually depending on your model can actually act as an Active Directory server so we can save you a lot of money not only going to be your storage but it can also be your Active Directory server so let's let's take a look at that real quick here we are we're at our Synology where we're doing all of our testing and videos we're going to end login and by the way there has been a security update for the latest version of DSM make sure that your DSM is up to date we're gonna go over to package Center we're gonna scroll down to Active Directory server and we are gonna hit install and it is gonna go out it's gonna fetch that package and install it for us so we'll be right back as soon as that's done okay so our Active Directory server is installed so we'll go ahead and open this and that's gonna open a wizard and it's gonna walk us through this this is absolutely brilliant so we're gonna click Next now we got to put a domain name in and it used to be back in the day that you would use a domain that was not an actual top-level domain so you see a lot of things in dom dot ltd dot you know not a.com or whatever now Microsoft over the last I don't even know how many years it's been you're starting to see that the best practice is actually to use you know the dot-com internally so and I guess I don't know the history of when when exactly that started you know my certification on the Microsoft products is a couple years old but wasn't that long ago that you could no longer get certificates ssl certificates issued for anything that wasn't an actual top-level domain so there was there's some history there you have to go google search that anyway so what we're gonna do is our domain name here is going to be mmm will do h5 llc.com and then it wants to know what our workgroups gonna be we click that it automatically fills it down so your workgroup is like your NetBIOS name for your domain name it's gonna create an administrator account so we're gonna go ahead and give this a password okay and we're gonna click Next and it's going to confirm the settings with us that we selected that our domain is going to be h5 LLC comp and the work group will be h5 llc.com so we'll go ahead and apply that it's gonna go ahead and create the domain and we're gonna take a look and look at everything else that it does now once this is done you're gonna want to make sure that if you have static IP addressing on your workstations that you point your dns to your Synology you're also or if you're doing DHCP you'll probably want to hand out the IP address of your Synology or however your DNS is set up you have to get clients over to the Synology so that they can get the directory information so and we'll take a look at that here in a minute so this domain creation it's gonna speed right along here and we'll be right back alright so the wizard is done and it brings us to our main screen and you can see here that it tells us our domain name is h5 LLC com our domain NetBIOS name as h5 LLC number of records which may need updated and those are resource records and this says 0 and if you do have to update them then you do that in the DNS server so we'll take a look at that and then you have the option to remove the domain so real quick let's bring up the DNS server so now in so you can see that we've got the zones that were automatically created for Active Directory and again you know gave us some zone IDs and we could actually go in here and I don't suggest doing it but you could come in here and add records unless it tells you to add a record I would honestly I would just kind of leave it alone I wouldn't I wouldn't go tinker and I mean if you want to you know do it go in there Jack with it then burn it to the ground that's cool but if this is going to be in production unless they tell you to add records or you need to add a record for something this is gonna work and it's gonna work really well and you're not gonna have to to mess with it so those are the zones that were created now if we double click on that what we can do is we can bring it up and these are all of the special records that are created that make Active Directory run in DNS so you can see why in production we don't want to mess around with this so now yeah you can add to h5 llc.com if you have a device that you need let's say you have a Raspberry Pi that's doing whatever on the network and you need to address it by name instead of the IP you could go ahead and come in here and add a record and just add your a record to do that and that that would be fine but don't don't go no tinkering with those those default records and less they tell you to unless this is you're building it you want to go in mess with it and then blow it up and then delete it that's awesome but if this is production I just I really recommend leaving those records I think I've said that about six different ways now so I'll stop talking about that but that is what it inserts into your DNS server now back here at the active directory control panel so if you're familiar with Microsoft Active Directory this should look very similar to that then under here any computers that are joined to the domain they're gonna show up here and then any domain controllers that you have will also show up here now if you have another server and you join it it should it will likely show up under computers because it's not a DC unless you use dcpromo and promote that to a domain controller in your domain you can come in here you can add new OU's users groups so under users let's add a new user and we're gonna call it W how ok so we've got our password set up here and we can force the password to change it next logon we can disallow the user to change their password we can set us for the password never expires or we can disable the account now if you have a lot of accounts at Active Directory and let's say you have staff turnover my suggestion to you is to only disable the account not delete it because you don't know where you may have not used a group you may have attached a user to something and you delete the user and now you've got some sort of a crazy problem in Active Directory or with permissions more more likely on a program or folders or things like that so disable account what I like to do is I like to add a you know you that's called disabled users or disabled accounts and I like to put disabled accounts in that oh you you know what when we we never did finish my user so we'll add a user go back and we're not gonna check anything but you could force users to change their logon now any Active Directory groups that you need this user to be part of this is where you add them so domain admins if you're an administrator that's a fantastic group to be in and you can see by default we are in the domain users group here's a recap of all of the settings and we'll go ahead and apply that it is now going to create h5 LLC W how it's gonna set all those parameters we're gonna have a user and we could join a machine to the domain and then log in as that user so we can also set a share and that's probably what we'll do instead of joining my machine to the domain we'll create a share we'll put that user on there and then we'll see how we access that the last thing that you're going to look at here is the domain policy so there are just a couple policies here and they are your password policy so the maximum age the minimum age the minimum password length so it has to be seven characters and then what we do here is we do not allow people this enforced password history you cannot use the last 24 passwords and then enable password strength checks so that's where you have to have a special character uppercase lowercase number all that good stuff then the account lockout policy is the lockout threshold how many times can you get the password wrong before it locks the account and how long is the lockout duration and when does that lockout counter reset so you can actually set it so that an administrator has to go in and actually you know reset or enable that account and I'm gonna leave that at default for now you can also add new groups under users as like adding a user except it is specific to the group so we'll add an h5 group and this is gonna be h5 employees and we're not gonna put an email on there now it can either be a domain local a global or universal we will go ahead and go with the default global if you want to know what these mean let me know I can do if there's enough people interested I can do a quick Active Directory like a 15 20 minute video that explains a lot of this stuff about Active Directory I'm kind of making an assumption that if you're coming this far that you may already know some of this but if you want to know more about Active Directory let me know and I can do some videos on that and then is it a security group which we use for permissions or is it a distribution group which we would use to you know an email would come in to this single address and then be distributed out to other users this is a security group and we will apply that but let's real quick let's reload our users make sure that my W how user is down there perfect so everything seems to be running good with Active Directory so let's go into control panel let's do shared folder let's add a shared folder called age 5 this is the H 5 shared folder and we're not gonna encrypt it we're not gonna do any of that stuff you could set a quota you know so that only so much data can be in that folder we're gonna kind of leave it wide open now what's going to happen is it's gonna come up it's gonna ask us about our permissions so right now the account that we're logged into is W how into the Synology that local user already has access now I could restrict access to that folder for that user but what we want to do is we want to pull up domain users or domain groups I say I try to set permissions on groups so real quick let's go back over here users and groups we will pull up my W how user now under my user we can go to member of and what we can do is we can find our h5 group that we created and we will make my user a member of the h5 employees group and we'll go ahead and say ok we're going to touch on those options here in just a second so now what we're gonna do is we're gonna refresh this and we're gonna go to the h5 group and we are gonna say read write for the h5 group we're gonna go ahead and click OK on that and so that should be good so what I'm gonna do is I'm going to bring up that share it's gonna prompt me for credentials and we're gonna put in my user and see if it works so let's do that real quick alright so in the run line I just put in backslash backslash 192 168 69.6 I'm gonna click OK it's gonna come up and it's gonna ask me for credentials so we're gonna do h5 LLC backslash W have put in that password and now you can see that I can get into the h5 share but I should not be able to get into like the customer share so access is denied my user I did not put that group that h5 group does not have access to the customers folder should not have access to the backup folder we should get the same thing there it should not have access to the integral falter it should only have access to the h5 folder which it does so our permissions are set correctly alright so we're gonna go back to my user real quick and we're gonna take a look at a few of these user options before we wrap this up so here we have the logon hours and we can actually come in here and tell the domain that this user can only log into the domain during these cert now so right now you can see everything is in blue so it's allowed so we could set it up so that at midnight you know my user is not allowed to login at midnight don't know you I mean there are some you know when you start talking about security things can get very granular and sometimes they have to now this log on to is a fantastic feature in Active Directory and actually before Active Directory when we were dealing with the NT for days had this too but you can make it so that users can only log in you know with certain computers on certain machines so that's what this is right now we've got all computers allowed I can come in here we can change the user password we can force here's all the password stuff you can do smart cards you can use DES encryption then under general you can come in here you fill out more information about the users so Active Directory is a database that can be queried so you can query Active Directory for all sorts of things so you can build an employee directory and if you had all this information in here it can automatically fill that directory in profile if we had a login script that automatically mapped drives or who knows did something automatically when we logged in you can put that here we can automatically map the users home directory if you have a roaming profile you can enter that information here so a roaming profile allows you to have the same desktop and all the settings from computer to computer to computer there are some caveats to setting that up and we will eventually get into that and of course here is the member of this shows me the member of the groups that I am in so that's it if you don't want to spend a lot of money on Microsoft licensing you can use your Synology now you can't with the web interface do all of the types of group policy objects that you can with a Windows Server but eventually if there's enough interest we will get to a point where I will show you how to be able to apply those things without an actual Windows server so that's it for this video if you like this video please give me a thumbs up please subscribe please comment share please follow me on Twitter and Instagram if you need consulting for you networks voice-over-ip with granstream storage with Synology security programming you know web web design anything that you want to throw at us go to h5 llc.com fill out that contact form and somebody will get back with you we also have a discord channel charli's our admin he's really good at what he does you can come on in and chat if you want to buy any of the tools and gear that you see here on the channel we do have that Amazon affiliate shop down below as always I want to thank you for being here I appreciate each and every one of you and we'll see you in the next video you
Info
Channel: Willie Howe
Views: 103,958
Rating: undefined out of 5
Keywords: synology, synology active directory, active directory setup, synology active directory server, how to setup active directory server, synology how-to, active directory, willie howe, h5 technology, synology as a server
Id: kQI33Z2Re3Y
Channel Id: undefined
Length: 18min 20sec (1100 seconds)
Published: Thu Jul 12 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.