Knowledge Center

Domain

At Synology Directory Server > Domain, you can view your domain status and manage various types of domain controllers (DCs).

Contents

View Status

After setting up a domain and promoting your Synology NAS as a domain controller (refer to First-Time Setup Wizard for instructions), you can view the domain status information on the Domain page.

Domain information:

Go to the Domain section to view domain information.

  • Domain name
  • Domain NetBIOS name

Domain controller information:

Go to the Domain Controller section to view domain controller information.

  • Domain controller types: A domain controller (DC) is a server that stores the directory service database. There are three types of DCs in a domain set up by Synology Directory Server:
    • Primary domain controller: The server that holds the Primary Domain Controller (PDC) Emulator role. Once an issue on data synchronization occurs, the PDC provides data updates accordingly.
    • Secondary domain controller: The server that can manage the domain as a holder of Flexible Single Master Operation (FSMO) roles, but cannot hold the PDC Emulator role.
    • Read-only domain controller: The server that holds a read-only copy of the domain database, replicates user account passwords according to password replication policies, and authenticates user access.
      Note: A read-only domain controller (RODC) receives only replication data from read-write domain controllers (RWDCs).
  • Distinguished name (DN): This DN is the object path of the domain controller in the domain database. For example, if a domain controller's DN is "CN=SYNOTEST,OU=Domain Controllers,DC=syno,DC=local", you can analyze its elements as below:
    • CN=SYNOTEST: The hostname of this domain controller is "SYNOTEST".
    • OU=Domain Controllers: The domain controller belongs to the organizational unit "Domain Controllers".
    • DC=syno,DC=local: The domain controller is deployed in the domain "syno.local".
  • Roles:
    • PDC Emulator: The Primary Domain Controller (PDC) Emulator role holder provides time synchronization services for Kerberos authentication, recording password updates performed by other domain controllers within a domain. There is only one holder of this role for each domain.
    • RID Master: The Relative ID (RID) Master role holder answers RID pool requests from all domain controllers within a domain so that domain controllers can add domain objects. There is only one holder of this role for each domain.
    • Infrastructure Master: The Infrastructure Master role holder is responsible for updating cross-domain object references. There is only one holder of this role for each domain.
    • Domain Naming Master: The Domain Naming Master role holder is assigned to deal with changes in the domain namespace. There is only one holder of this role for each forest.
    • Schema Master: The Schema Master role holder is responsible for updating the directory schema. There is only one holder of this role for each forest.

Manage Domain Controllers

Get FSMO roles:

You can change the holder of a Flexible Single Master Operation (FSMO) role. Only RWDCs can get or change FSMO roles.

  1. Go to Domain > Domain Controller.
  2. Click on the right side of the domain controller that is going to get an FSMO role, and select Get FSMO Role.
  3. Select one of the following modes to get an FSMO role from the Role-getting mode drop-down menu.
    • Transfer role: Transfer a role from the other domain controller to the current one.
    • Seize role: Take the role of the other domain controller by force. Seizing roles may cause synchronization problems between domain controllers. We suggest using this mode only when the original FSMO role owner is unexpectedly and permanently offline.
  4. Select a role to be taken from the Role drop-down menu.
  5. Enter the following information and click Submit to get the role from the other domain controller.
    • Account: Enter the administrator account of your domain.
    • Password: Enter the password of the administrator account.

Add password replication policies for an RODC:

Password replication policies allow you to determine which user accounts can be replicated to the RODC. Once a password replication policy is added and a user account is in the allowed list of the password replication policy, the user account password is replicated to the RODC.

  1. Go to the Users & Computers page, click on the left of the OU to expand the domain objects, and select Domain Controllers.
  2. Double-click on the RODC and select Password Replication Policy.
  3. Click Add and select one or multiple user accounts from the Applied object drop-down menu.
  4. Select Allow or Deny according to your needs and click Add.
    • Allow: Select this option to allow the RODC to replicate the selected user account passwords.
    • Deny: Select this option to deny the RODC from replicating the selected user account passwords.
      • Note: If a user account is on both the allowed list and the denied list, the user account password will not be replicated (i.e., the denied list takes precedence).
  5. View the added policy and click OK to finish.   

Note:

  • An RODC that is permitted to replicate a user account authenticates the user’s logins, without forwarding authentication requests to an RWDC (i.e., primary or secondary domain controller). However, an RODC that is denied from replicating a user account will forward the authentication request to an RWDC.
  • Only RWDCs can add password replication policies; RODCs can only view the policies that have been added.

Preview the password replication policies:

The Inspector feature allows you to preview which user accounts are in the allowed list or denied list of the password replication policies.

  1. Go to the Users & Computers page, click on the left of the OU to expand the domain objects, and select Domain Controllers.
  2. Double-click on the RODC and select Password Replication Policy.
  3. Click Inspector and select the user accounts you want to preview from the Applied object drop-down menu.
  4. Click Preview.
  5. Add, remove, or export user accounts according to your needs.
    • Add objects for preview: Click Add, select user accounts from the Applied object drop-down menu, and click Preview.
    • Remove objects from preview: Select a user account and click Remove.
    • Export objects for preview: Click Export to export user accounts as an Excel file.
      Note: Press and hold Ctrl or Shift to select multiple user accounts.

Prepopulate passwords for an RODC:

Prepopulating passwords allows a user account password to be replicated to the RODC before the user signs in for the first time. The user accounts must be in the allowed list of password replication policy.

  1. Go to the Users & Computers page, click the on the left of the OU to expand the domain objects, and select Domain Controllers.
  2. Right-click on the RODC and select Policy status.
  3. Go to the View account type field and select an option:
    • Accounts authenticated on this RODC: Display the list of user accounts whose passwords are transferred from the RODC to the RWDC for authentication. User logins are authenticated by the RWDC. The RWDC must be a Windows server.
    • Accounts with passwords stored on this RODC: Display the list of user accounts whose passwords are replicated to and stored on the RODC. User logins are authenticated by this RODC.
  4. Click Prepopulate Passwords.
  5. Enter the following information and click Prepopulate Passwords.
    • Account: Enter the administrator account of your domain.
    • Password: Enter the password of the administrator account.
    • Applied object: Select the user accounts you want to prepopulate passwords.

Note:

  • Only RWDCs can prepopulate user account passwords for RODCs; RODCs can only view the user accounts whose passwords have been prepopulated.

Change the IP addresses of domain controllers:

Synology Directory Server is normally set up with a static IP address. But for certain reasons, you may need to change the IP address of the Synology NAS that is running Synology Directory Server.

  1. Back up Synology Directory Server with Hyper Backup.
  2. Change the IP address of the Synology NAS.
  3. Confirm and update the resource records in DNS Server (refer to Synology Directory Server and DNS Resource Records for details).
  4. Restart Synology Directory Server to update network settings:
    1. Go to Package Center > Installed > Synology Directory Server.
    2. Click the inverted triangle and select Stop.
    3. After Synology Directory Server is stopped, click Run to restart the package.

Demote domain controllers:

Demotion allows you to decommission domain controllers from the current domain object hierarchy yet keep them in the domain.

  1. Go to Domain > Domain Controller.
  2. Click on the right side of the domain controller you want to demote.
  3. Select Demote.
  4. Confirm that your want to demote the domain controller and click Demote.
  5. Enter the following information and click Submit.
    • Account: Enter the administrator account of your domain.
    • Password: Enter the password of the administrator account.

Note:

  • The domain controller with FSMO roles cannot be demoted.
  • Domain services will be removed if the last domain controller in the domain is demoted.
  • Demotion of domain controllers is irreversible.

Synology Directory Server and DNS Resource Records

To ensure that Synology Directory Server delivers services successfully, all A/AAAA resource records in DNS Server must correctly point to the IP address of the Synology NAS. All A/AAAA resource records are set to point to the IP address of the Synology NAS where a domain is created by default.

However, A/AAAA resource records may not properly point to the Synology NAS due to the following circumstances:

  • The Synology NAS undergoes a change in its IP address after the domain has been created with Synology Directory Server.
  • Synology Directory Server is restored through a backup task of the Hyper Backup package.

Follow the steps below when encountering the cases mentioned above.

Check and update resource records in DNS Server:

  1. Go to DNS Server > Zones.
  2. Select the relevant DNS zone such as domain name@Active Directory or _msdcs.domain name@Active Directory, and click Edit > Resource record.
  3. Check the IP addresses configured in the A/AAAA resource records. Make sure all the records point to your Synology NAS.
    Note: To batch edit, press and hold Ctrl or Shift to select multiple resource records of the same type but with different names.

What is DNS auto registering?

After a client successfully joined the domain created by Synology Directory Server, the server will automatically register and update an A resource record (and AAAA resource record if IPv6 is enabled) to the DNS Service on DSM, mapping the hostname of the client to an IP address.

Limitations:

  • This function cannot be disabled.
  • Naming rules of domain clients: Only letters (a-z, A-Z), numbers (0-9), and dashes (-) are allowed currently.
  • On Windows 7, 10: Re-login or reboot will be needed if the hostname or IP address was changed.
  • On DSM, SRM: Re-login or reboot will NOT be needed if the hostname or IP address was changed, and the resource record will not be updated either.
Contents
View Status
Manage Domain Controllers
Synology Directory Server and DNS Resource Records