Get a Quote     (408) 943-4100   TrueNAS Discord VendOp_Icon_15x15px Enterprise Support
TrueNAS.com Software Systems Company Community Security iX Portal Download
TrueNAS Enterprise TrueNAS SCALE TrueNAS CORE Compare Editions TrueCommand Software Status FreeNAS
Compare Systems F-Series M-Series H-Series R-Series Mini Series
About iXsystems Our Clients Reviews Careers Awards iX Blog & News iX Website Contact Us
Community Forum Discord TrueNAS GitHub TrueNAS Merch Store
Use Cases Analytics Backup and Archival Cloud Data Mobility File Sharing iX Storj Media Creation Surveillance Virtualization
Industry Automotive Education Gaming Government Healthcare MSP Manufacturing Research & AI Media & Entertainment
Download TrueNAS SCALE Download TrueNAS CORE Get TrueNAS Enterprise Compare TrueNAS Editions Contact an Enterprise Specialist
  1. Documentation Hub
  2. /
  3. TrueNAS 25.04 (Early)
  4. /
  5. TrueNAS Tutorials
  6. /
  7. Credentials
  8. /
  9. Setting Up Directory Services
  10. /
  11. Configuring Active Directory
Edit page
TrueNASTrueNAS Nightly Development Documentation
This content follows experimental nightly development software. Pre-release software is intended for testing purposes only.
Use the Product and Version selectors above to view content specific to a stable software release.

Configuring Active Directory

  5 minute read.

The Directory Services screen and widgets provide access to TrueNAS settings to set up access to directory services and advanced authentication systems deployed in user environments.

TrueNAS does not configure Active Directory domain controllers or LDAP directory servers, nor does it configure Kerberos authentication servers or ID mapping systems.

Refer to documentation for these services and systems for information on how to configure each to suit your use case.

Configuring TrueNAS Active Directory Access

The Active Directory (AD) service shares resources in a Windows network. AD provides authentication and authorization services for the users in a network, eliminating the need to recreate the user accounts on TrueNAS.

When joined to an AD domain, you can use domain users and groups in local ACLs on files and directories. You can also set up shares to act as a file server.

Joining an AD domain also configures the Privileged Access Manager (PAM) to let domain users log on via SSH or authenticate to local services.

Users can configure AD services on Windows or Unix-like operating systems using Samba version 4.

Preparing to Configure AD in TrueNAS

Before configuring Active Directory (AD) in TrueNAs:

You need to know the hostname assigned to the TrueNAS system. The default value is truenas.

The Domain Account Name default is Administrator, or enter a name for TrueNAS to generate as the computer account upon domain join. Enter the password for this account.

  • Verify name resolution. Go to Network > Global Network Settings to verify your TrueNAS network DNS name servers are configured with the target domain controller address that you plan to add on the Active Directory screen.

  • Change the default hostname of the system from truenas to the name assigned to the TrueNAS system.

  • Set time synchronization

After taking these actions, you can connect to the Active Directory domain.

Setting Time Synchronization

Active Directory relies on the time-sensitive Kerberos protocol. TrueNAS adds the AD domain controller with the PDC Emulator FSMO Role as the preferred NTP server during the domain join process. If your environment requires something different, go to System > General Settings, click Add to open the NTP Servers screen, then add a new or edit a listed server.

Keep the local system time sync within five (5) minutes of the AD domain controller time in a default AD environment.

Use an external time source when configuring a virtualized domain controller. TrueNAS generates alerts if the system time gets out of sync with the AD domain controller time.

TrueNAS has a few options to ensure both systems are synchronized. Either:

  • Go to System > General Settings, click Settings in the Localization widget, and set Timezone to the value that matches the location of the AD domain controller.

Or

  • Set the system BIOS to either local time or universal time.

Connecting to the Active Directory Domain

To connect TrueNAS to Active Directory:

  1. Go to Credentials > Directory Services click Configure Active Directory to open the Active Directory configuration screen.

  2. Enter the domain name for the AD in Domain Name and the bindname and bindpw account credentials in Domain Account Name and Domain Account Password. Default Domain Account Name created for TrueNAs is Administrator.

  3. Enter the TrueNAS hostname in NetBIOS Name. The default is TRUENAS. Enter the TrueNAS host name that matches the information on the Network > Global Configuration screen in the Hostname field.

  4. Select Enable to attempt to join the AD domain immediately after saving the configuration. TrueNAS populates the Kerberos Realm and Kerberos Principal fields on the Advanced Options settings screen.

    TrueNAS creates the default Kerberos realm and principal, and the Computer Account OU value /computers/servers/NAS.

    If you get a DNS server error, go to Network > Global Configuration, click Settings and verify the DNS nameserver IP addresses are correctly configured with addresses that permit access to the Active Directory domain controller. Correct any network configuration settings, then reconfigure the Active Directory settings.

  5. Click Save.

TrueNAS offers advanced options for fine-tuning the AD configuration, but the preconfigured defaults are generally suitable.

I don't see any AD information! TrueNAS can take a few minutes to populate the Active Directory information after configuration. To check the AD join progress, open the Task Manager in the upper-right corner. TrueNAS displays any errors during the join process in the Task Manager.

When the import completes, AD users and groups become available while configuring basic dataset permissions or an ACL with TrueNAS cache enabled (enabled by default).

Joining AD also adds default Kerberos realms and generates a default AD_MACHINE_ACCOUNT keytab. TrueNAS automatically begins using this default keytab and removes any administrator credentials stored in the TrueNAS configuration file.

Troubleshooting - Resyncing the Cache

If the cache becomes out of sync or fewer users than expected are available in the permissions editors, resync it by clicking Settings in the Active Directory window and then click Rebuild Directory Service Cache.

The name in NetBIOS Name should match the name in Hostname on the Global Configuration settings screen.

Disabling Active Directory

To disable your AD server connection without deleting your configuration or leaving the AD domain, click Settings to open the Active Directory settings screen. Select the Enable checkbox to clear it and click Save to disable the AD service.

This returns you to the main Directory Services screen, now showing the two main directory services configuration options.

Click Configure Active Directory to open the Active Directory screen with your existing configuration settings. Select Enable again, and click Save to reactivate your connection to your AD server.

Leaving Active Directory

TrueNAS requires users to cleanly leave an Active Directory to delete the configuration. To cleanly leave AD, click Leave Domain on the Active Directory Advanced Settings screen to remove the AD object. Remove the computer account and associated DNS records from the Active Directory.

If the AD server moves or shuts down without you using Leave Domain, TrueNAS does not remove the AD object, and you have to clean up the Active Directory.

Related Content

Tutorials
UI Reference
Solutions

Have more questions?

For further discussion or assistance, see these resources:

Found content that needs an update?  You can suggest content changes directly! To request changes to this content, click the Feedback button located on the middle-right side of the page (might require disabling ad blocking plugins).