Synology Directory Server Quick Start Guide for Administrators
Synology Directory Server Quick Start Guide for Administrators
What is Synology Directory Server
Synology Directory Server is an efficient tool that allows your Synology NAS to become a domain controller. IT administrators can manage accounts and install specific programs or system updates on all computers in the office with just a few clicks.
Why use Synology Directory Server
- Deploy and manage multiple computers
- Manage accounts and access privileges of all members in a central location
- Deploy specific applications to any computer in the office without needing to leave the seat
- Establish group policies to manage user accounts easily
Before you start
- Installed DSM 6.2.2 and above on your Synology NAS
- Ensured working network connection for your Synology NAS
- Assigned static IP address for your Synology NAS
- Unjoin your Synology NAS from its current Domain/LDAP
- Ensured that no domain name conflict exists in the local area network
Create your own domain
Follow the Setup Wizard to create your own domain.
- Launch Synology Directory Server.
- Click Next to continue with the setup.
- Enter the following information and click Next:
- Domain name: Enter an FQDN (Fully Qualified Domain Name) for the domain, e.g., "syno.local".
- Workgroup: The workgroup name (or the NetBIOS domain name) will be automatically filled in this field. For instance, if your domain name is "syno.local", the default workgroup name will be "syno".
- Password: Enter a password for the administrator account of your domain.
- Confirm password: Enter the password again.
- Confirm the settings and click Apply. The system will now create the domain and promote the Synology NAS to be a domain controller.
Domain Naming Limitations:
- The domain name can only contain alphabetical characters, numeric characters, minus signs, and dots (only used as the delimiter of domain name's components).
- The domain name must contain at least two components. e.g., "syno.local".
- The domain name cannot start with a hyphen (-).
- The domain name cannot end with a hyphen (-) or a period (.).
- The maximum length is 255 characters.
Manage organizational unit
An organizational unit (OU) is a container object within a domain to which you can add all types of domain objects, including users, groups, computers, and other OUs. OUs organize domain objects into a hierarchy, which is helpful when there are a large number of users, computers, and groups.
Add an OU
- Go to the Users & Computers page.
- Select the domain or an OU from the tree list, and click Add > Organizational unit.
- Specify a name for the new organizational unit in the field, and click OK.
- Right-click the parent container of the newly added organizational unit, and click Reload. The newly added organizational unit will then show on the tree list.
Add objects to an OU
- On the Users & Computers page, select an OU from the tree list.
- Select one of the methods below to launch the creation wizard:
- Method 1: Click the Add button above the tree list and select a type of domain object from the drop-down menu.
- Method 2: Right-click the specified OU on the tree list. Go to Add and select an object type.
- Method 3: Right-click the blank space of the specified OU and select an object type to add.
- Follow the instructions in the creation wizard to add the object..
Manage groups
Domain groups allow IT administrators to grant permissions to access devices, applications, or other services deployed in a domain.
Add groups
- Click the default Users directory in the left panel of the page to perform operations for group objects showing at the right.
- Click Add > Group.
- Configure the new group in the Group Information page.
- Click Apply to save settings.
Manage users
Users in a domain are user accounts that can access resources in the domain.
Add Users
- Click the default Users directory in the left panel of the page to perform operations for group objects showing at the right.
- Click Add > User.
- Configure the new user in the User Information page.
Note:
- Password strength requirements depend on the password policy configured in Domain Policy.
- Select the groups for the user to be a member of.
- Click Apply to save settings.
Batch import users
- Click the default Users directory in the left panel of the page to perform operations for group objects showing at the right.
- Click Add > Import Users.
- Select a file to upload. The file should contain user information in CSV format.
- Confirm the preview is correct and click OK to import.
Manage computers
Computers in the domain created by Synology Directory Server can be workstations, servers, or NAS. This type of object can be deployed in the domain for users to access.
Click the default Computers directory in the left panel of the page to perform operations for computer objects showing at the right. You can edit computer properties or delete a computer object.
Manage password and account policy
Default Domain Policy allows you to maintain account security on a domain level by setting up password and account lockout policies. You can click Domain Policy on the left panel to manage these two types of default domain policies.
Password policies
The following are the available password policies on the Domain Policy page:
- Maximum password age: Specify the time after which the passwords expire. Passwords will never expire if the option is disabled.
- Minimum password age: Specify the time frame in which users are not allowed to change their passwords after their last password change. Passwords can be changed at any time if the option is disabled.
- Minimum password length: Specify the minimal length of new passwords.
- Enforce password history: Any new passwords must be different from the ones set previously, the number of which is to be specified here.
- Enable password strength check: Passwords must comply with the strength requirements. Please refer to the note below for more information.
- Store password using reversible encryption: Enabling this option will compromise domain security. This option is not recommended unless demands of domain client services take higher priority over password security.
Notes:
- To comply with the password strength requirements, your password must contain at least 3 of the following rules:
- Uppercase letters of the Latin (including A-Z with diacritic marks), Greek, and Cyrillic alphabets
- Lowercase letters of the Latin alphabets (including a-z with diacritic marks), Greek, and Cyrillic alphabets
- Numeric characters (0-9)
- Special characters, including #, $, !, et cetera
- Unicase Unicode alphabets, including those in Asian languages
Account Lockout Policies
The following are the available account lockout policies on the Domain Policy page:
- Lockout threshold: User accounts will be locked out when the number of failed login attempts is beyond your specified lockout threshold.
- Reset lockout counter after: The number of failed login attempts will be re-calculated after this specified time.
- Lockout duration: Locked-out user accounts will not be unlocked until the end of your specified lockout duration.
Set up group policies
Other types of group policies can be done through Windows Remote Server Administration Tools (RSAT). For more information on how to install RSAT, please see this article.
Assign a home directory to users (roaming profile)
Roaming profiles allows domain users to access their files when they sign in to different
computers that are joined to the domain.
For more information on how to assign a home directory to Synology Directory Server users, please see this article.
Mount a network drive
Synology Directory Server also allows you to mount a network drive for domain users. Please follow the steps below to mount a network drive for all users via RSAT:
For more information on how to mount a network drive for domain users, please see this article.
Further reading
Software specs
- Full software specs for Synology Directory Server can be found here.