Active Directory
5 minute read.
Last Modified 2021-03-17 15:49 EDTActive Directory (AD) is a service for sharing resources in a Windows network. Because AD provides authentication and authorization services for the users in a network, it is not necessary to recreate the same user accounts on TrueNAS.
AD can be configured on a Windows server that is running Windows Server 2000 or higher or on a Unix-like operating system that is running Samba version 4. To configure a basic connection, you will need to know the domain of the Active Directory domain controller and account credentials for that system.
Before configuring Active Directory, there are a few steps you can take to ensure the connection process goes smoothly.
To confirm that name resolution is functioning, go to the Shell and use ping
to check the connection to the AD domain controller.
When packets are being sent and received without loss, the connection is verified.
Press Ctrl + C to cancel the ping
.
Another option is to use host -t srv _ldap._tcp.domainname.com
to check the SRV records of the network and verify DNS resolution.
Active Directory relies on Kerberos, a time-sensitive protocol. During the domain join process, the AD domain controller with the PDC Emulator FSMO Role is added as the preferred NTP server. Change this in System > NTP Servers if your environment requires something different.
The time on the system and the AD domain controller cannot be out of sync by more than five minutes in a default AD environment. Use an external time source when configuring a virtualized domain controller. If the time gets out of sync between TrueNAS and the AD domain controller, the system generates an Alert.
There are a few options in TrueNAS to ensure both systems are set to the same time:
- Go to System > General and make sure the system Timezone matches the AD Domain Controller.
- Set either localtime or universal time in the system BIOS.
To connect to Active Directory, go to Directory Services > Active Directory and enter the AD Domain Name and account credentials. Set Enable to attempt to join the AD domain immediately after saving the configuration.
Advanced options are available for fine-tuning the AD configuration, but the preconfigured defaults are generally suitable.
When the import is complete and the TrueNAS cache is enabled (enabled by default), AD users and groups become available when configuring basic dataset permissions or an Access Control List (ACL).
Joining AD also adds default Kerberos realms and generates a default AD_MACHINE_ACCOUNT
keytab.
TrueNAS automatically begins using this default keytab and removes any administrator credentials that were stored in the TrueNAS configuration file.
If the cache becomes out of sync or fewer users than expected are available in the permissions editors, resync the cache using Directory Service > Active Directory > REBUILD DIRECTORY SERVICE CACHE.
If the Windows server version is lower than 2008 R2, try creating a Computer entry on the Windows server Organizational Unit (OU). When creating this entry, enter the TrueNAS hostname in the name field. Make sure it is the same name as the one set in the Hostname field in Network > Global Configuration, and the same NetBIOS alias from Directory Service > Active Directory > Advanced Options.