 All right, we're going to dig in today with FreeNAS and Active Directory. Now, over the years, this has always been a challenge to set up Active Directory FreeNAS in some form, and they have so much made this better. I am really happy with the progress FreeNAS has made in making your Active Directory deployments really, really good. Couple caveats here, and I want to get them right off the rip. One, we don't usually run a Windows server. Actually, we don't run any Windows servers in our office. So for those of you that are asking why I'm running an evaluation version, we set up this just for this demo and doing some testing with Active Directory and some training with some of the new staff to teach them more about Active Directory. I do some Active Directory. I have other staff that is much more an expert on setting up and fixing Active Directory issues. And that is a frequent problem we run into where other technicians, we take over IT jobs and they've made a mess of Active Directory. So one important thing before you get started is make sure you have a working, properly, not filled with errors Active Directory. Because those can lead into problems of getting other devices to join. And we've had people say, hey, FreeNAS won't join. They want us to help them. We look at Active Directory. They can't get anything to join because they've just gotten so many things wrong in it, have DNS problems and things like that. So I'm not going to jump into step by step how to set up Active Directory. Matter of fact, it's actually pretty easy setup. If you get an eval of Windows Server 2016, you can follow some simple guides and best practices and pretty much next to and yesterday or way through a pretty straightforward setup. Frequently where people get their problems is they come up with their own ideas and way outside of best practices and just start changing the servers around in non-standard configurations and then break Active Directory. So as long as your Active Directory is working fine, this process should go really smooth for you. Now the server itself is at 192.1683.27. This is Windows Server 2016. When you have Active Directory setup, it's very dependent on DNS. So the DNS of the Active Directory has to be working properly for machines to join. This is not just a FreeNAS rule, this is in general how Active Directory works. The reason I bring that up is because you go over here and we look at the name servers. The name server for your systems that are joining a domain needs to be the same as the domain server, whichever one is the head end if you do have multiple servers. Or in the case of multiple servers, you can distribute it across DNS across multiple ones. But it's important that the Active Directory server be here. So people go, well, I use 999 or one of the other public DNS's and FreeNAS won't talk to this domain controller. That is correct. That is a frequent common mistake that causes people a whole lot of headaches where they have the username and password right but they don't have the ability to log in and get all kinds of strange errors, DNS. Now with only one name server, and that name server being the Windows Server 2016, it has no choice but to resolve the proper settings. So now we're going to go over here to the directory. Now the important thing about the way DNS, domain name system DNS, and Active Directory works is you can't just type the IP address of the server. You have to put in, and this is the name of our domain AD.evail. So you can see that right here, the domain, not the name of the server. The domain is AD.evail. So we have AD.evail. Well, how are you going to get AD.evail to resolve? I know it's small, but you kind of get the idea here. I'm able to ping AD.evail, which resolves there. So even before you put any of these Active Directory settings in, if that function doesn't work, you can't ping the domain, stop there and sort that problem out. These are the little steps that you start in the beginning. You'll spend a lot of time. When people jump right to the end, you go, let me just put that stuff in and hit save. This is that little step that will help you. All right. So we have the DNS set. We got a set to be this address. What's the next step? Well, that's pretty easy. Go over here to users and you can just go copy the administrator. Now there's other ways you can do this. Someone's going to point out, hey, you can do this or do that. I know. If you copy the administrator and you create a copy of the administrator that you use for FreeNAS, so FreeNAS has a username that it can join the domain with and communicate back and forth with Active Directory machine with, that saves you the trouble of you change the username password. Next thing you know, you accidentally broke all the FreeNAS connections and the way it communicates with domain. So you want to make a copy of the administrator or you can create a special user and make sure it has all the right permissions. Like I said, it goes out of scope to get into some of those details, but in short, easy way, copy administrator. You can't just use the administrator as well, but you got to remember if you're changing the password, it may get out of sync because of the way the password sinks may not happen. I just always create a second NAS admin and I know that's how the NAS system talks that way. Don't have to worry about that. And this is our NAS admin. Now, important things here. So NAS ADMIN, that's the name, password never expires. So once we set this password, use a good one, leave it, don't set it to expire, make sure it can log on because it's not, that way, nothing changes and disrupts that. And that's right here, our NAS admin. Now I've already enabled this because it's really easy to do. You type the domain AD.evail, NAS admin, the password. These are the defaults, enable monitoring. It just restarts the service if it's disconnected for some reason or some problem and hit save and there's a pause. Now please note, it does take a second on a FreeNAS box, it'll sit there maybe for about 30 seconds or so, I've seen it take up to a minute and then it joins. What it's doing when it's joining the domain and here's our FreeNAS AD, which you notice it's giving it the same name as the system has right here, FreeNASAD.local. Here is FreeNAS AD. It actually adds it automatically. Now previous ones, previous work instructions, you know, a longer time ago, you had to create this server in here, create the computer and do some DNS entries, blah, blah, blah. That is not the case anymore. This was created automatically, so FreeNASAD.AD.evail is right there and away we go, we can see the machine right here. So that did this automatically when we did the directory join. Now one of the things I do after I do a directory join, you don't have to, I just do it to make sure there's not an error on startup. Once I have it joined to the domain, I will go ahead and reboot the server and make sure it reconnects without an error. Just in case there's any problems and I haven't had any, but it's just a, maybe it's something I don't need to do, but I have done in the past to make sure that there's no errors. I do that a lot of times in servers because you leave something and before it's all sudden done, in general, if you reboot it to make sure everything's service comes up and works as expected after a reboot, it saves you that call later if there's a random power outage or something that causes a reboot that then breaks everything that you didn't troubleshoot for. Okay, that part's done. Now let's jump over to storage. Now we've got no storage set up other than the drives themselves are set up. There's not any Z vols or any data sets created and we'll go over here to services. We don't even have the Samba turned on yet. So SMB is actually, I shouldn't say turned on SMB started. There's no actual shares set up. So no entries configured. So now we can start this first get the, get this set up. So here's your active directory. It's connected. It's working. There's no errors. It'll give you errors. It has a, it'll tell you when it can't connect or things like that. We connected fine. So there's no issues and we're going to go ahead here and create a dataset and we'll just call it Windows shares comments. Our Windows share. This is where I've covered permissions when you're not using Windows and say choose Unix. Now we're going to enable right here. We're going to choose share type Windows because we're doing a Windows share. We're going to go ahead and add this dataset. There's our Windows shares. Now this is where you can change permissions on it and this is where things get maybe a little bit confusing for people because it's still default to your standard route wheel. And those aren't available in active directory. So we're going to pull down here and you see AD. But you may notice it seems to stop right here at NAS admin. So why not more people in here? Well, this is where it's a little strange because it may not display all the users in here. But if you know the user, there's a Tom Lawrence user. Let's see what's my login. Okay, I got set up as Lawrence T. I can go here. Now this is case sensitive. So you go here, it takes a second and now it's cached and loaded all the different users. So I type AD slash and this lets me scroll up and down through all the users and select them. So it does auto complete on this. So AD administrator and now here's all of our groups. And if you start filling it in slash, do I have domain users? And this is preferences of what you want your user group. You can create all kinds of different shares. I just chose administrator and domain users here. We're going to go ahead and set the permissions recursively and create this. Now we have our windows share created and we got the permission set. So it's owned by administrators and DNS admins have permission in there. So we can look at the permissions again. Everything looks good. All right, now let's go over to our sharing windows, add, browse, there's our windows shares, name. And we don't have to give it the same name, I'll just call it windows. And you don't really need unless you want guest access and all these other little functions turned on if you have some other advanced need. You can use these like only allow guest access would make it wide open. You don't necessarily want that. So we're just going to choose default permissions, call it windows, make the comment, windows share. Okay, and now it's shared. Now we went here and said slash slash free nas ad and there's our windows share. Let's create a folder. Actually we'll call this folder Thomas and we'll go over here. We're going to go to properties, security, add, select a principle. And when I think we got my name in here is Lawrence T. There we go. Give full control to Thomas gonna make this Thomas's folder. And let's remove the everyone access. Well, I have to, it's inheriting permissions. This is, you know, if you're familiar at least with how to do this, I got to remove the inherited disable inheritance. Convert inherited permissions, remove, there we go. Replace all objects, yes. There we go. But if you notice this works like any other share on windows. So now we've eliminated the everyone permission and have just Tom and administrators. So Tom owns this folder, administrators and domain admin users. And we can, you know, fine grain these permissions just like you can with Active Directory. This is the importance of the way free nas works is you just, I set this up. So Tom has permissions, Tom has to rewrite permissions. I can set all the permissions just like I do any other windows share. And I'm using free nas as the back end. So we get all the advantages of free nas and ZFS and everything else. But we're doing it all through windows and your standard server permissions. And it's communicating back and forth. And that's pretty much it from there. You're done because this is set up and configured and away you go. Now all the other underlings and underpinnings of the system still work fine. So let's go here, windows shares and let's create a snapshot of it. Mainly create snapshot and I just created a folder called tests. So we'll go ahead and delete that test. Here's the snapshot we have. Let's go ahead and see what happens when we restore it. So we just deleted the test. We're going to go ahead and roll back to snapshot. Are you sure you want to roll back to the state? Say yes and it's back. This is that advantage. And this is one of the popular reasons to use free nas as a back end storage is, you know, I've done an entire video on how snapshots work. They work just as well when you're using it as a storage server for windows. So I can go ahead and quickly revert back to states. I can set up a snapshot maybe every hour. So I have a really solid position on all my data. And this is a frequent use case code. We actually recently did a large company as a municipal with free nas. And there's the reason they went with this is they have been crypto lockered before. And they know what a pain that is. So when it runs through in crypto locks, everything like, oh, no, this is a big mess. Well, it is with free nas. And let's say you have hourly snapshots. And I've explained this entire snapshots more in depth. They only use a differential between snapshots. So you can actually have a lot of snapshots without using a ton of your storage because depending on your use case, a lot of times there's only incremental changes. And this allows for very fast restoration. So you get crypto lockered at 2 p.m. You figured it out. Find the infection. Stop it from spreading. Get rid of that computer on the domain. It was causing the problem. Roll it back to your 1 p.m. You know, an hour ago, if you have hourly snapshots set up. So it can be that fast rolling things back. This is a huge advantage that free nas offers not to mention the redundancy and resiliency and large scale of azfs pool and free nas storage. But this is it for Active Directory. It's like I said, this simple to use. And when you do these restores, like this one here, in case you're wondering, the permissions and everything follow back with it. So even though I cloned and restored, no problem. Free nas is smart. It is able to handle that. But that's it for doing free nas with Active Directory. The biggest prerequisite is making sure the DNS is set right and making sure your Active Directory is set right. Like I said, the number one problem we have in joining free nas is joining it to a domain system that's broken. You've seen how fast it works here on a clean, nice setup. But your problem isn't free nas when it's not joining. Many of the times, like I said, our experience has been if you're having Active Directory issues, make sure other things can join. Make sure your DNS is working properly. Make sure you have the DNS of the domain server in free nas so it properly can communicate. That's it. Thanks for watching. If you liked this video, go ahead and click the thumbs up. Leave us some feedback below to let us know any details which you like and didn't like as well because we love hearing your feedback. Or if you just want to say thanks, leave a comment. If you wanted to be notified of new videos as they come out, go ahead and hit the subscribe and the bell icon that lets YouTube know that you're interested in notifications. Hopefully they send them as we've learned with YouTube. Anyways, if you want to contract us for consulting services, you go ahead and hit launchsystems.com and you can reach out to us for all the projects that we can do and help you. We work with a lot of small businesses, IT companies, even some large companies, and you can farm different work out to us or just hire us as a consultant to help design your network. Also, if you want to help the channel in other ways, we have a Patreon. We have affiliate links. You'll find them in the description. You'll also find recommendations to other affiliate links and things you can sign up for on launchsystems.com. Once again, thanks for watching and I'll see you in the next video.