User:Mauirixxx/Scratch
From FreeNAS using Active Directory Wiki
< User:Mauirixxx
Revision as of 21:59, 24 April 2014 by Mauirixxx (talk | contribs) (added note about removing user from domain admins. created user named freenasAdmin)
Setup:
Host System: Dell XPS-8500 (Core i7-3770, 32GB ram, 240GB external SSD for virtual machines)
VirtualBox
pfSense (router) (4GB ram, 2 vNIC's, WAN = bridged adapter (DHCP), LAN = Internal Network - Static IP 10.10.10.1))
Windows Server 2008 (Active Directory server) (3GB ram, 1 vNIC = Internal Network, Static IP 10.10.10.3)
FreeNAS-9.1.1-RELEASE-x64 (a752d35) (8GB ram, 1 vNIC = Internal Network, Static IP 10.10.10.2)
Windows 7 Professional x64 (2GB ram, 1 vNIC = Internal Network, DHCP)
FreeNAS-9.2.1.4.1-RELEASE-x64 (fec915c) (8GB ram, 1 vNIC = Internal Network, Static IP 10.10.10.4)
FreeNAS-9.2.1.5-RELEASE-x64 (80c1d35) (8GB ram, 1 vNIC =Interneal Network, Static IP 10.10.10.6)
Create Active Directory domain: example-domain.net
*****
Create FreeNAS specific user (logon name): freenas
(After thinking about this, it might be a good idea to name the user freenasAdmin or something like that. As its for documentation it might make it easier for people following the guide not to confuse it with the FreeNAS computer.)
created user named freenasAdmin, added to computer security tab in AD. --mauirixxx
*****
Password: HorseBattery2014
*****
Add user to group: "Domain Admins" ??
(I would not do this as there is absolutely no need for it. The account only needs Full Control permission to the FreeNAS computer object in Active Directory. You'll need to change the AD console to show advanced features to get the security tab to show so you can add an entry for the "freenas" user you create into the security permissions on the FreeNAS computer object.)
removed user from Domain Admins, may (or may not?) need to make note about 10 computer join to directory limit of non-admin users. -- mauirixxx
*****
Active Directory Server & DNS IP: 10.10.10.3 Create DNS "A" record - freenas 10.10.10.2 & create associated PTR record Create DNS "A" record - freedom 10.10.10.4 & create associated PTR record
Install FreeNAS
Network
Global Configuration
Hostname: freenas
Domain: example-domain.net
IPv4 Default Gateway: 10.10.10.1
Nameserver 1: 10.10.10.3
"Save"
System
NTP Servers
View NTP Servers
Delete all 3 default time servers
*****
Add NTP Server: 10.10.10.3
(Make sure to set the 10.10.10.3 server as the "preferred" target.)
*****
Settings
General
Timezone: Pacific/Honolulu
Directory Service: Active Directory
"Save"
Storage
Volumes
ZFS Volume Manager
"Create your volume instructions here" (for this example I named it plexdata)
/mnt/plexdata
Create ZFS Dataset
Dataset Name: downloads
Compression level: Off
Enable atime: Inherit
ZFS Deduplication: Off
v9.2.1.4.1 specific - Share type: Windows
Services
Directory Services
Active Directory
Domain Name (DNS/Realm-Name): example-domain.net
NetBIOS Name: freenas
Workgroup Name: EXAMPLE-DOMAIN
*****
Administrator Name: freenas
(Possibly update username like discussed above)
*****
Administrator Password: HorseBattery2014
Confirm Administrator Password: HorseBattery2014
Advanced Mode
Use Default Domain: checked
CIFS
*****
Authentication Model: Local User
(I don't see this setting on my system. Maybe its only available on older builds?)
correct - this was specific to v9.1.1, will not include in official post --mauirixxx
*****
NetBIOS name: freenas
Workgroup: EXAMPLE-DOMAIN
Description: FreeNAS Test Server
DOS charset: CP437
UNIX charset: UTF-8
Log Level: Minimum
Use syslog: unchecked
Local Master: unchecked
Time Server for Domain: unchecked
Guest Account: nobody
File Mask: (leave this field blank)
Directory Mask: (leave this field blank)
EA Support: checked
Support DOS File Attributes: checked
Allow Empty Password: unchecked
Auxiliary Parameters: (leave this field blank)
Enable home directories: unchecked
Enable home directories browsing: unchecked
Home directories: (leave this field blank)
Homes auxiliary parameters: (leave this field blank)
Unix Extensions: checked
Zeroconf share discovery: checked
Hostnames lookups: checked
v9.2.1.4.1 specific: Server minimum protocol: ---------
Server maximum Protocol: SMB3
Allow execute always: checked
Control Services
Directory Services - turn off, then turn on
CIFS - turn off, then turn on
(note: In v9.2.1.4.1 both of these services were turned off, turning on "Directory Services" takes awhile to start (due to joining the domain), then automatically turns on "CIFS" as well)
Sharing
Windows (CIFS) Shares
Add Windows (CIFS) Share
Name: downloads
Comment: Internet Downloads
Path: /mnt/plexdata/downloads
Browsable to Network Clients: checked
Leave everything else unchecked
v9.2.1.4.1 specific (possibly new to v9.2.x): Inherit ACL's: checked
Shell
Type the following: /usr/local/www/freenasUI/tools/winacl.sh -o administrator -g "domain admins" -p /mnt/plexdata/downloads -r
v9.2.1.4.1 specific: The above shell command is no longer be needed
Storage
Volumes
/mnt/plexdata
/mnt/plexdata/downloads
Change Permissions
Verify the following are filled in:
*****
Owner (user): administrator
Owner (group): domain admins
(These should begin with the NetBIOS domain name of the Active Directory domain. i.e. ExAMPLE-DOMAIN\Administrator)
*****
Mode:
Read: Owner, Group, Other
Write: Owner, Group
Execute: Owner Group, Other
Type of ACL: Windows
Set permission recursively: unchecked
On Windows 7 client, in Windows Explorer type \\freenas to view the "downloads" file share, verify write ability by creating a folder.
Test complete.
