Migration local users to AD integration in ReadyNAS OS 6
Hi everyone,
First of all, I have read pretty much every single article about this isse and haven't found a straightforward answer, which is why I'm posting this here.
I want to migrate local users in our ReadyNAS 516 to Active Directory. I have several questions but let's start with some background and technical details. Our ReadyNAS 516 is running the latest version (6.9.5), using local user accounts and groups. This is because when we started using it there were just a few of us, but in the last couple of years we've grown quite a bit and have now over 40 users.
Our domain environment is based on a Windows Server 2008 R2 DC, in which the AD OU structure is like this:
Domain FQDN: corp.ekroboter.com
Top level OU: EK roboter
Inside this OU, I've created several additional OUs based on the company departments (HR, Sales, Support, etc.). Inside each one I have both the corresponding users and computers. This allows me to easily setup the GPOs for each department individually, which has been working prefectly fine. This also means that if you search for objects in the top level OU, you'll get all 40 users and 40 computers as a result.
Since I'm using local users on the ReadyNAS, I've created them exactly as they are in AD (firstname.lastname and same password). This lets everyone access the ReadyNAS as if it was SSO, since the AD credentials match those on the ReadyNAS. There are several security groups on AD as well, which brings me to my first concern. ReadyNAS OS does not allow for spaces or accented characters in groups names, so if I have Human Resources in AD, I have to use Human-Resources in ReadyNAS, (same goes for Taller Mecánico in AD and Taller-Mecanico in ReadyNAS).
I'd like to start using Active Directory for user management but I'm presented with the following challenges:
What would happen to the user's current home folders? Will they be reset?
What will happen with Groups? Will I be able to use the same security groups that I have in AD? Will the names match?
Will I have to reset permissions on all the shares? I don't mind if I have to, I apply every permission to groups and not individual users.
If I sync with AD, will I only see AD users or also computers?
What will happen to the ReadyNAS admin acocunt? Will it dissapear and be replaced with the AD administrator acount?
I'll appreciate any help and guidance I can get. Thank you!
In Active Directory mode, you do not use your ReadyNAS system to manage your users and groups. Instead, you manage them with your Active Directory database, and the changes are transferred to your ReadyNAS system every 12 hours.
Also keep the following precautions in mind when using Active Directory mode:
Your Active Directory server and your ReadyNAS system must have the same time set on their system clocks. NETGEAR recommends that you choose your domain controller as your Network Time Protocol (NTP) server to ensure that time settings are the same.
The DNS server that you use must be able to resolve the host name of the domain controller. NETGEAR recommends that you point your ReadyNAS system to the Active Directory DNS for proper DNS resolution.
What would happen to the user's current home folders? Will they be reset? The local users Home folders will not be present once the NAS joined the AD, this might be hidden or deleted.
What will happen with Groups? Will I be able to use the same security groups that I have in AD? Will the names match? Once you joined the NAS to AD all local users and groups will be disabled so Users and Groups on the AD will be used.
Will I have to reset permissions on all the shares? I don't mind if I have to, I apply every permission to groups and not individual users. Permissions set locally will be replaced by the permissions set on the AD. Please see Setting AD Folder permissions. So we can say the permissions will be reset automatically.
If I sync with AD, will I only see AD users or also computers? Only AD users.
What will happen to the ReadyNAS admin account? Will it disappear and be replaced with the AD administrator account? Only the local Admin account is used for login.
If your users have any files saved on their private home folders, backing up their folders would be the best thing to do.
Once your ReadyNAS is joined to your AD it should apply the permissions you have set on your AD.
Yes, only Home shares will be removed all other shares and data will be intact and will be synced with your AD users. The local users and groups will be disabled so you don't need to delete it.
Re: Migration local users to AD integration in ReadyNAS OS 6
Thank a lot for the instructions. I have succesfully joined the ReadyNAS to our domain and imported user accounts correctly.
I am now setting all shares permissions through Windows Explorer, in the share Security tab. I removed everyone access and only allow access to the corresponding groups (i.e. only the members of the Sales group will have access to the Sales share).
I'm seeing that it is applying hte permissions on every single file, which will take a long time on larger shares with thousands of files.
So everything was running smoothly until I decided to Refresh ADS accounts to check if it added new users. Well... now everything is screwed up. An Import errror occurs and all my users and groups have vanished from the list. I rebooted the DC, the ReadyNAS and it still does not work.
I haven't made any changes to my AD config, the admin password is correct and all the settings are exaclty the same as they were when I joined the NAS to our domain.
This is driving me nuts. How can I submit the logs to check for errros?
