To integrate a Network Attaced Storage (NAS)—such as a NAS device (e.g., Synology, QNAP, NetApp)—with Active Directory (AD) authentication, you’ll typically need to enter several key details in the Active Directory authentication settings panel of the NA.
Here’s what you usually need to enter:
🔑 Required Fields to Join Active Directory
- Domain Name (or Full Domain Name)
- Format:
corp.example.comor justexample.com - This is your AD domain, not the NetBIOS name.
- Format:
- Domain NetBIOS Name (sometimes optional, but good to provide)
- Format:
EXAMPLE - This is the short name of your AD domain (used in
EXAMPLE\usernameformat).
- Format:
- Domain Controller (DC) Hostname or IP Address
- e.g.,
dc1.corp.example.comor192.168.1.10 - Some systems auto-discover via DNS, but manual entry can prevent issues.
- e.g.,
- Organizational Unit (OU) (optional, but recommended if you want to scope machine accounts)
- Format:
OU=NAS,OU=Servers,DC=corp,DC=example,DC=com - This ensures the NAS joins to the correct part of the AD tree.
- Format:
- Username and Password of AD Account with Join Rights
- Format:
EXAMPLE\Administratoror[email protected] - This user must have rights to add Computers to the domain.
- Format:
- Workgroup Name (only required for older systems or when not joining a domain)
- Usually matches the NetBIOS name.
🧠Additional Required Considerations
- Time Sync: Your NAS must have correct time and match the AD DC’s time (within 5 minutes), or Kerberos auth will fail.
- DNS: Ensure the NAS uses the AD DNS server (typically your DC) and not an external one.
- Hostname: Give your NAS a static and valid hostname before joining AD.
đź› Example Settings
| Setting | Example |
|---|---|
| Domain Name | corp.example.com |
| Domain NetBIOS Name | CORP |
| Domain Controller Address | 192.168.0.10 |
| Admin Username | CORP\Administrator |
| Admin Password | ******** |
| OU | OU=NAS,OU=Servers,DC=corp,DC=example,DC=com |
| DNS Server | 192.168.0.10 (same as DC) |
If your NAS still fails to join, check the logs for:
KRB5KDC_ERR_PREAUTH_FAILED(Kerberos error → time or password issue)DNS_ERROR_BAD_KEY(→ DNS misconfigured or no SRV records)LDAP bind failed(→ username/password wrong or permission issue)
For Example Domain ‘sircles.net’
Thanks, Simon — with sircles.net as your domain, here’s exactly what you should enter into your NAS Active Directory authentication settings to get it working:
âś… Active Directory Authentication Settings (for domain sircles.net)
| Field | Value or Format | Notes |
|---|---|---|
| Domain Name / Full Domain | sircles.net | This is your AD DNS name. |
| NetBIOS Domain Name | SIRCLES (you can confirm by running echo %USERDOMAIN% on a domain-joined PC) | Often just the uppercase of your domain prefix, but confirm. |
| Domain Controller (DC) | e.g., dc1.sircles.net or IP 192.168.1.X | Use IP if DNS SRV records are unreliable. |
| Admin Username | SIRCLES\Administrator or [email protected] | Must have permission to join machines to domain. |
| Admin Password | •••••••• | Use the domain admin or a delegated user account. |
| Organizational Unit (OU) | Optional: OU=Servers,DC=sircles,DC=net | If left blank, the NAS will be added to the default Computers container. |
| DNS Server | 192.168.1.X (same as your AD DC) | This is critical — don’t use Google DNS or anything external. |
| Time server / NTP | 192.168.1.X (or same as DC) | Clock must be in sync with AD (±5 mins for Kerberos). |
🔧 Tips for Smooth Integration
- Give the NAS a fixed IP and set the hostname to something meaningful before joining AD.
- Check DNS:
nslookup _ldap._tcp.dc._msdcs.sircles.net— this should return your DC(s). - Make sure ports are open:
- TCP 88 (Kerberos)
- TCP/UDP 389 (LDAP)
- TCP 445 (SMB)
- TCP 135 + dynamic RPC range (135 + 49152–65535 usually)
🧪 Troubleshooting Checklist
- ❌ “Incorrect credentials” – Double-check domain format: use
SIRCLES\Administratornot justAdministrator - ❌ “Cannot find domain” – Check NAS is pointing to your AD DNS
- ❌ “Clock skew/Kerberos error” – Set NTP to same server as DC
- ❌ “OU not found” – Check spelling/case in the Distinguished Name (DN) format
Let us know your NAS brand (e.g., Synology, NetApp) and I’ll give you screenshots or command line equivalents for more direct setup steps.
It says ‘specified OU does not exist in domain’
Perfect — let’s fix that “Specified OU does not exist in domain” error with precision and no fluff.
This means the Organizational Unit (OU) you entered isn’t being found exactly as typed. Active Directory is case-sensitive for distinguished names and very picky about syntax. Let’s walk through fixing it.
âś… Step-by-Step to Get the Correct OU Format
âś… Option 1: Use Active Directory Users and Computers (ADUC)
- Open ADUC on a domain-joined Windows machine.
- Navigate to the OU where you want the NAS to be added.
- Right-click the OU → Properties → Attribute Editor tab.
- Look for
distinguishedName— copy the full value exactly. Example:OU=NAS,OU=Servers,DC=sircles,DC=netOr:OU=NetworkAppliances,DC=sircles,DC=net
âś… Option 2: Use PowerShell
On your AD server or any domain-joined workstation with RSAT tools installed:
Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName
This will list all available OUs and their correct DN format.
đź’ˇ Common Pitfalls
| Mistake | Example Fix |
|---|---|
| Wrong case | Use OU=NAS, not ou=nas |
| Typo in OU name | Confirm exact spelling/casing |
| Using container, not OU | You can’t use the default CN=Computers,... container |
| Escaping not needed | Don’t escape commas or special characters manually unless they’re literal |
🚀 Safe Shortcut (for testing)
If you’re not fussed about where the NAS account ends up for now, leave the OU field blank — it will default to:
CN=Computers,DC=sircles,DC=net
You can move the computer account later in ADUC.
Let me know the OU you’re trying to use, and I’ll write out the exact DN for you.
Share this content:
