Difference between revisions of "Joining Active Directory"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
m (3 revision(s))
(Prerequisites)
 
(7 intermediate revisions by 5 users not shown)
Line 1: Line 1:
With the Terastation Pro/Terastation Pro v2 it is possible to join an active directory domain.  
+
{{Template:Articles|Terastation}}
 +
 
 +
With the Linkstation Pro/Terastation Pro/Terastation Pro v2 it is possible to join an active directory domain.  
 
Hopefully this article helps many to get it setup faster.
 
Hopefully this article helps many to get it setup faster.
 +
 +
Before you begin some points shall be respected to avoid errors afterwards.
 +
 +
# Time, Date and Timezone have to be identical on both sides with maximum 5 minutes difference,
 +
# Do not join from the servers side,
 +
# Server and TeraStation Pro, Pro II or LinkStation Pro have to be in the local network, no subnet or VPN_Tunnel allowed
 +
# the username used for joining the Active Directory has to be member of the Administrator Group and has to have a password without special characters. There is no need to use the Administrator account with its password but any account with administrative privilieges.
 +
# The Primary DNS Server IP Address inside the network settings of the Buffalo NAS has to point to the DNS/DC you want to join.
  
 
== Prerequisites ==
 
== Prerequisites ==
  
# There must be a machine account for your TeraStation on your Domain controller existing,
+
# There must be a machine account for your TeraStation on your Domain controller existing, (It must  be configured for a pre Windows 2000 computer).
 
# This machine account for the TS must be flagged as trusted for delegation,
 
# This machine account for the TS must be flagged as trusted for delegation,
 
# Inside your DNS-server there must be the (A)Host entry for the TS in the Forward-Lookup-Zone and
 
# Inside your DNS-server there must be the (A)Host entry for the TS in the Forward-Lookup-Zone and
 
# inside your Reverse-Lookup-Zone there must be the PTR-Record.
 
# inside your Reverse-Lookup-Zone there must be the PTR-Record.
 
# Make sure the time of the terastation does not differ more than 10 minutes from the AD server
 
# Make sure the time of the terastation does not differ more than 10 minutes from the AD server
 +
<br>
 +
If 2) and 4) are not given then the LinkStation Pro/TeraStation Pro/Terastation ProII is not allowed to join the ADS as BDC, Backup domain controller, which is the working scheme of the ADS client on the Stations.
 
<br><br>
 
<br><br>
If 2) and 4) are not given then the TeraStation/LinkStation Pro/ProII is not allowed to join the ADS as BDC, Backup domain controller, which is the working scheme of the ADS client on the Stations.
+
If 1-4 is given the LinkStation Pro/TeraStation Pro/Terastation ProII is able to join. Inside the Network setup you only have to enter the NetBIOS name, the full qualified Domain name and the full qualified PDC name with Domain Administrator name and password.
<br><br>
+
If 1-4 is given the TersStation/LinkStation Pro/Pro II is able to join. Inside the Network setup you only have to enter the NetBIOS name, the full qualified Domain name and the full qualified PDC name with Domain Administrator name and password.
+
 
<br><br>
 
<br><br>
 
The LDAP on the Station then is contacting the PDC (Forward-Lookup-Zone set) and is asking for a copy of existing users. If "trusted for delegation" the TS will receive the answer (Trusted flagged and Reverse-Lookup-Zone set). So, if the last settings are not existing the answer will not be given and send. Here are about 95% of all ADS-issues located.
 
The LDAP on the Station then is contacting the PDC (Forward-Lookup-Zone set) and is asking for a copy of existing users. If "trusted for delegation" the TS will receive the answer (Trusted flagged and Reverse-Lookup-Zone set). So, if the last settings are not existing the answer will not be given and send. Here are about 95% of all ADS-issues located.
 
+
<br><br>
 
Normal Windows Clients in any ADS do not need to be set up this way since the PDC, the Primary Domain Controller, is handling all stuff by its own. But TeraStation Pro / Pro II and LinkStation Pro are separate things. They both communicate using the internal LDAP to communicate with the PDC. But the PDC in general is not contacted by any clients since he is the one-and-own master. So the PDC must be configured to accept the Station as a unit in the network which is allowed to contact the PDC. This is done by flagging the machine account as "trusted for delegation". Now the PDC is answering the requests. Additional the complete DNS forward and backward communication is done by both entries in the DNS-Server running on the PDC. Please note that you also should set the primary DNS IP-Address (inside network IP-Address setup of the Stations) to this and not to the gateway/router.
 
Normal Windows Clients in any ADS do not need to be set up this way since the PDC, the Primary Domain Controller, is handling all stuff by its own. But TeraStation Pro / Pro II and LinkStation Pro are separate things. They both communicate using the internal LDAP to communicate with the PDC. But the PDC in general is not contacted by any clients since he is the one-and-own master. So the PDC must be configured to accept the Station as a unit in the network which is allowed to contact the PDC. This is done by flagging the machine account as "trusted for delegation". Now the PDC is answering the requests. Additional the complete DNS forward and backward communication is done by both entries in the DNS-Server running on the PDC. Please note that you also should set the primary DNS IP-Address (inside network IP-Address setup of the Stations) to this and not to the gateway/router.
 +
<br><br>
 +
<b>Troubleshooting:</b><br>
 +
If it still won't work please check these:
 +
<br>
 +
# please check the internal Date/Time settings, especially the '''correct Time-Zone''' (by default +9 hours). The Timestamps of TS and PDC can only be 5 minutes different, otherwise the PDC will reject the Station. There is a good description of the problem caused by the "Time Difference / LDAP Error 82" located here: [http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/addeploy/addch11.mspx#EZH Troubleshooting Replication Errors, Microsoft TechNet]
 +
# the Primary '''DNS Server IP''' of the TeraStation network settings must be the IP address of the DNS Server running on the PDC.
 +
# the IP address of the '''Gateway''' shall be the real gateway/router or the domain controller.In General 1) is the well known point why the Link- or TeraStation still cannot join even if above named things are done properly.<br>
 +
# If there is a WINS server given in the ADS-settings test the joining without the WINS IP.
 +
# Check if there are some firewalls or Antivirus-Programs up and running that avoid a communication.
 +
# If problems still exist please to a "Reset-to-Default" of the Tera/LinkStation by initiate the unit once.
 +
 +
In General Point 1) is the well known point why the Link- or TeraStation still cannot join even if above named things at top of this page are done proberly.

Latest revision as of 20:09, 31 December 2008


With the Linkstation Pro/Terastation Pro/Terastation Pro v2 it is possible to join an active directory domain. Hopefully this article helps many to get it setup faster.

Before you begin some points shall be respected to avoid errors afterwards.

  1. Time, Date and Timezone have to be identical on both sides with maximum 5 minutes difference,
  2. Do not join from the servers side,
  3. Server and TeraStation Pro, Pro II or LinkStation Pro have to be in the local network, no subnet or VPN_Tunnel allowed
  4. the username used for joining the Active Directory has to be member of the Administrator Group and has to have a password without special characters. There is no need to use the Administrator account with its password but any account with administrative privilieges.
  5. The Primary DNS Server IP Address inside the network settings of the Buffalo NAS has to point to the DNS/DC you want to join.

Prerequisites

  1. There must be a machine account for your TeraStation on your Domain controller existing, (It must be configured for a pre Windows 2000 computer).
  2. This machine account for the TS must be flagged as trusted for delegation,
  3. Inside your DNS-server there must be the (A)Host entry for the TS in the Forward-Lookup-Zone and
  4. inside your Reverse-Lookup-Zone there must be the PTR-Record.
  5. Make sure the time of the terastation does not differ more than 10 minutes from the AD server


If 2) and 4) are not given then the LinkStation Pro/TeraStation Pro/Terastation ProII is not allowed to join the ADS as BDC, Backup domain controller, which is the working scheme of the ADS client on the Stations.

If 1-4 is given the LinkStation Pro/TeraStation Pro/Terastation ProII is able to join. Inside the Network setup you only have to enter the NetBIOS name, the full qualified Domain name and the full qualified PDC name with Domain Administrator name and password.

The LDAP on the Station then is contacting the PDC (Forward-Lookup-Zone set) and is asking for a copy of existing users. If "trusted for delegation" the TS will receive the answer (Trusted flagged and Reverse-Lookup-Zone set). So, if the last settings are not existing the answer will not be given and send. Here are about 95% of all ADS-issues located.

Normal Windows Clients in any ADS do not need to be set up this way since the PDC, the Primary Domain Controller, is handling all stuff by its own. But TeraStation Pro / Pro II and LinkStation Pro are separate things. They both communicate using the internal LDAP to communicate with the PDC. But the PDC in general is not contacted by any clients since he is the one-and-own master. So the PDC must be configured to accept the Station as a unit in the network which is allowed to contact the PDC. This is done by flagging the machine account as "trusted for delegation". Now the PDC is answering the requests. Additional the complete DNS forward and backward communication is done by both entries in the DNS-Server running on the PDC. Please note that you also should set the primary DNS IP-Address (inside network IP-Address setup of the Stations) to this and not to the gateway/router.

Troubleshooting:
If it still won't work please check these:

  1. please check the internal Date/Time settings, especially the correct Time-Zone (by default +9 hours). The Timestamps of TS and PDC can only be 5 minutes different, otherwise the PDC will reject the Station. There is a good description of the problem caused by the "Time Difference / LDAP Error 82" located here: Troubleshooting Replication Errors, Microsoft TechNet
  2. the Primary DNS Server IP of the TeraStation network settings must be the IP address of the DNS Server running on the PDC.
  3. the IP address of the Gateway shall be the real gateway/router or the domain controller.In General 1) is the well known point why the Link- or TeraStation still cannot join even if above named things are done properly.
  4. If there is a WINS server given in the ADS-settings test the joining without the WINS IP.
  5. Check if there are some firewalls or Antivirus-Programs up and running that avoid a communication.
  6. If problems still exist please to a "Reset-to-Default" of the Tera/LinkStation by initiate the unit once.

In General Point 1) is the well known point why the Link- or TeraStation still cannot join even if above named things at top of this page are done proberly.