Synology NAS Domain Join: The Importance of DNS Configuration

In this article, we shall discuss the issues you could face when performing a Synology NAS Domain Join: The Importance of DNS Configuration. DNS configuration ensures that devices on a network can communicate with each other and access external resources on the internet. This enables devices to locate servers and services by their domain names, facilitating seamless connectivity. Please see DSM Security: How to Protect Synology DS923+ NAS, How to Sync Data in Cloud Drives to Synology NAS, How to configure Synology Active Insights, and Step-by-step guide on how to set up the Synology DS923+ NAS.

Note: In an AD (Active Directory Domain Environments, DNS is integral to domain join processes and authentication. Devices need to locate domain controllers and other domain services through DNS to join the domain and authenticate users securely.

Issue 1: Ports 389, 445, 88 Blocked when joining Synology to the domain

When joining a Synology NAS (Network Attached Storage) device to a domain. Specific ports are utilized for various functions and need to be opened:

1. Port 389 is the default port for LDAP (Lightweight Directory Access Protocol). LDAP is often used for directory services such as Active Directory employed in domain environments for user authentication and authorization.
2. Port 445 port is used for SMB (Server Message Block) file sharing. When joining a Synology NAS to a domain. SMB is needed for accessing shared folders and files stored on the NAS within the domain environment.
3. Port 88 port is associated with Kerberos authentication. Kerberos is an authentication protocol used in a domain environment with Active Directory and provides secure authentication between clients and servers.

Note: To resolve the associated port issues, please click proceed and create some firewall rules. But within the same network, these should not be an issue. This issue will arise when a different IP is specified in the DC IP/FQDN field. It is paramount to specifiy the IP or FQDN of the DC in this field.

This can be overlooked easily as I have read on forums. Therefore, I had to reproduce this error in order to blog on it..

Create Firewall Rule

If you have a firewall inbetween the DC and NAS. Ensure these ports are open and aalso for the NAS on the DC. You will need to specifiy a scope and lock this down to the NAS IP only. Below is an image of how the rule will look like. Please see Restrict IP Address Range on Windows PC. Also, see how to Configure SQL Server Instance to listen on a specific TCP Port.

To ensure a successful domain join for a Synology NAS. It is paramount to use the correct DNS settings that point to internal DNS servers hosting the domain’s DNS zone. This DNS servers should be authoritative for the domain and capable of resolving domain controller addresses correctly within the local network.

In summary, network connectivity and security policies should allow communication between the Synology NAS and the domain controller(s) using the required ports and protocols (such as LDAP, SMB, and Kerberos) as mentioned above. These ports facilitate the integration of the Synology NAS into the domain environment, allowing it to authenticate users against the domain controller and provide access to shared resources using protocols like SMB.

Issue 2: One or Device Already have the name exist

Up till now, depending on your environment. All these errors stems from multiple IP address in the IP?FQDN filed of the Domain Controller (DC). Using the correct DNS settings is absolutely crucial for successfully joining a Synology NAS to an Active Directory Domain.

This ensures that the NAS can properly locate and communicate with the domain controller(s) within your local network. Entering incorrect or external DNS information can lead to failed domain joins. As the NAS may attempt to communicate with servers outside of your network or domain as it in image below.

By entering the correct internal DNS server information, the Synology NAS can properly resolve domain controller addresses and establish the necessary communication channels for domain join. This ensures that the domain join process is secure, efficient, and successful. Without encountering network related or security issues as shown below.

Therefore, before attempting to join the Synology NAS to the Active Directory Domain. It is necessary to verify and configure the DNS settings on the NAS to point to the internal DNS servers hosting the domain’s DNS zone. This step helps to mitigate potential issues and ensures a smooth domain join process within your local network environment.

Here a guide on IP Address blocked on Synology NAS due to forgotten Password. See how to Setup iSCSI Target and Storage LUN on Synology DS923+ for VBR.

Solution: Resolve Domain Join Issues for Synology NAS

Please ensure you have the right DNS Server speciifed. Click on Control Panel, Domain?LADAp or on Nework. In the Server Information, please specifiy the right information as it applies to you.

In the DC IP/FQDN, please specify the DNS IP or FQDN only. If you DC has multiple IP address, please specfigy it. Else, the DC IP or FQDN is sufficient. If you enter a different IP address, this would cause the Authentication to failas discussed above and in the image below.

Specify DNS Server

Entering an external DNS name or IP address in the DC/FQDN field can cause the domain join process to fail due to several reasons:

• The domain join process relies on proper DNS resolution to locate the domain controller. External DNS names or IPs may not correctly resolve to the domain controller’s address within the local network, leading to communication issues.
• External DNS names or IPs may not be reachable from within the local network or may be subject to network security policies such as firewalls or NAT (Network Address Translation). This can prevent the Synology NAS from establishing communication with the domain controller for the domain join process as we have discussed above.
• Domain join processes involve secure communications and authentication. Using external DNS names or IPs may compromise security by attempting to communicate with untrusted or unauthorized servers posing as domain controllers.

If you have a different DNS Server in your Network, you can also specify this in the DNS Field as shown below. Only enter multiple IP addresses in the DC IP/FQDN field if the network card supports it.

Note: It is necessary to specify a different DNS Server within your network should inn case the primary DNS server is not reachable. You will not have ntwork connectivity issues. I will create a different post to test this and show how to resolve this error “Quick Connect is not enabled”.

As you can see, the tests to join the domain all passed and the device will be joined to the domain.

Overall, the right DC IP/FQDN, and DNS configuration is essential for maintaining network functionality, enabling service discovery, supporting domain operations, and enhancing security in both local and internet-connected environments.

I hope you found this article on “Synology NAS Domain Join: The Importance of DNS Configuration” very useful. Please feel free to leave a comment below.