How do I cleanly join my Synology to AD with proper permissions?
Joining Synology DSM to AD gives direct group permissions on shares without managing local users. A few pitfalls around DNS, time sync and Samba compatibility.
Try this first
- 1On the Synology: Control Panel, Domain/LDAP, Domain. Fill in domain name, AD server FQDN, and a domain account with join rights.
- 2Before joining: point Synology DNS at the DCs, sync time with the DCs or the same NTP. Otherwise Kerberos errors right after join.
- 3Set share permissions via AD groups, not local users. In Shared Folder, Edit, Permissions, pick Domain Users / Domain Groups.
- 4Enable ABE (access-based enumeration) on the share: users don't see folders they can't enter. SMB versions: SMB1 off, SMB2/3 on.
- 5Test as a user: file-share access like normal, check DSM Log Center on issues. Common pitfall: case sensitivity on the Linux backend vs Windows clients.
When to bring us in
For backup targets and VM storage on Synology, combine with immutable snapshots and a second Synology at another location. A NAS as domain member increases the attack surface, so monitor login events.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.