I recently set up a Synology RS819 at my company, a small business of about 40 users.
We do not have an on prem domain controller. Instead, we utilize Azure AD and login to our PCs with our Microsoft 365 accounts. Because of this, I am having some trouble understanding how to best handle mapped drives to the Synology.
I created mapped drives for the users to the folders they need access to. When I first mapped them, it required that I provide a local Synology account on initial mapping (makes sense) but I can’t get the drives to reconnect on logout\login or restart.
The drives display a red X and require me to disconnect\reconnect them, again putting in the Synology credentials. I would like to understand the proper way to do this when no DC is available for authenticating with a domain account.
Am I thinking about this correctly? Is there a better way to provide the users access to the shares? I would like to prevent them from having to enter credentials each time they wish to access the folder if possible.
All PCs involved are Windows 10 and fully patched if that helps.
Does the synology have a way to log into Azure to get the user account info? On a local AD (for Truenas) you have to give it a log in (with permissions to the global catalog) to get that data, similar to if it were joined to the domain as a member server. I haven’t worked with Azure yet, and trying hard to stay away from it.
Alternate: Could you join something like Zentyal to your Azure AD as a local directory? Again not something I’ve tried, but it is supposed to “seamlessly” work/replace AD, even if it was set to a read only controller it might help you get permissions on the synology to work.
I think there is a way to log in using Azure but only if you have a Site-Site VPN which I do not currently have. This may be the only option to make it work with the Azure AD.
I am not familiar with Zentyal but a quick google of it seems interesting. This may be a good solution for a lot of reasons? Hmm…
I know a lot of people implement these devices without a domain so I think what I am doing is a typical use case. I just don’t know how most interact with their Synology. Is it just accepted that you have to login to the mapped drives or is there some other option to handle this? Is mapped drives the wrong approach without a domain user?
#2 was the VPN that you mention, far less published on this. But I think Zentyal could still be a key player here. I saw people talking about IPsec as the VPN of choice, and Zentyal offers that as part of its services (might be a paid thing though). VPN Service with IPsec and L2TP/IPSEC — Zentyal 7.0 Documentation Once the tunnel is up, you should be able to make it a secondary DC (instructions elsewhere in the docs).
You can get “reasonable” performance from Zentyal on a tiny little Mele Quieter2 computer like this Amazon.com That said, there are newer Celeron 5xxx series out that will work faster/better but the J4125 seems to be decent on my little Zentyal install in my home lab. I need to expand my testing with it as I think about building one at work for the day that Microsoft says no more local AD. The writing is on the wall, though right now it looks like graffiti, they want everything as a service to keep the revenue rolling in (just like everyone else).
You might also be able to set something up through a Win10/11 computer, this is a possible option that I didn’t dig into. A long shot but it would be cheap if it worked. I think in the end, Microsoft assumes that you will have a local Windows Server running to handle these tasks, and if your contract has any licenses available, that’s probably what I would do.
I am going to recommend against the setting any of those clearos, Zentyal,nethserver, etc type of solutions. You are setting up technical dept, aka jerry rigging it. That’s a very home-lab approach to a business problem. Since you are using Microsoft 365 already, does OneDrive and SharePoint storage not suffice? What’s your business need to having an on-prem nas?