Active Directory or Entra ID is a very popular way to get shares protected by forcing username and password to mount or access the shares.  It is a 2 step process, first, it connects and then sync's the users and groups locally so you can see them in the Users and Groups access page for each share.  You can then assign User and Group RW or Read Only access to each share.  File and Folder level ACLs are not handled in the NX2 or ZX product and require a Mac or Windows machine to manipulate.  If you are having File or folder permission problems see NX2/ZX File and Folder Permissions



If connecting to the AZURE ENTRA ID it must be already configured. Then the following steps have to be performed before connecting the NAS to it:

- Configure Vpn Gateway Site-to-Site to Azure resources - https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

- Redirect a domain name on an edge device (router) to Azure


After the above steps, in the GUI go to "User Management"




Joining

  1. Set DNS to the AD controller’s IP, add multiple AD controller IPs with a semicolon (System Settings -> Network)

  2. Set NTP to the AD controllers IP, and set Time Zone appropriately (System Settings -> Setting)

  3. Join the AD Realm that the IT team gives you.  Your IT team can find the Active Directory (AD) realm name, which is the same as the Kerberos realm name, by opening Active Directory Domains and Trusts (Administrative Tools > Active Directory Domains and Trusts), and the domain name listed there is your realm name.

    1. Ensure the admin user they use must have 2 privileges, Join a computer object to the domain, and Synchronize users

  4. Scale Logic has “Scan trusted domains = no” so we will NOT hop and sync users from trusted domains

  5. Sync happens every 10 minutes to see new or deleted users and groups in the domain

  6. You can also force a sync to see a new user or group or have it “house clean” and remove deleted users and groups from share definitions

  7. In failover HA on the ZX, you have to join AD on both nodes.  Usually, you will do this BEFORE joining the nodes in HA mode



Troubleshooting


Well, AD was connected and syncing ok but now it isn't and your users can't mount any shares... 


  1. Use the CTRL-ALT-T from the console and enter the ping menu.  Test Pinging both IP and domain names to ensure DNS is set correctly.  Use normal network troubleshooting to ensure you don't have a network issue.
  2. Check the time on NX2 /ZX and make sure it isn't off from the Domain controller.  A time drift of 5 minutes will disconnect it
  3. Ensure the password hasn't changed for the account used to join and sync.  Often it is a password policy that passwords must change every so often.  Check and retest the new password.
  4. If it is "Connected" and green in the GUI but not Synchronized try a manual sync
  5. Disconnect completely and try the connection again from a clean perspective.
  6. Reboot nodes and try again
  7. Download logs and check for specific errors in the kernel and sys logs


AD is connected but orange in color instead of green as it should be. (Versions - up29r3 and above)


  • Get a valid /inspect file in case you need to manual recreate the share-level definitions. You can do this by just downloading a new set of logs. (How to download NX2/ZX logs)
  • Save CURRENT settings, it will contain all user/group definitions. Save a copy for safe keeping off the system. Navigate to "System Settings > Settings management) and click "Save current settings" than click "Options" next to the newly saved settings and choose "Download" to save it to the desktop.

  • Disconnect AD, should take 1-5 minutes.
  • Re-join AD, select "Scan Single Domain". Should take 1-5 minutes

  • Restore the CURRENT settings back - takes very little time

  • Reboot the node.
  • Check the share-level definitions, they should be back after the settings restored and reboot.