Edit page

Entra Domain Services (Azure DS)

Organizations can use Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services) to manage users and groups by connecting TrueNAS to an Azure domain and joining the managed directory.

Recommended best practice for increased security and flexible administration is to synchronize Entra ID with an on-premises active directory domain. However, some organizations prefer to use cloud-only domain services. This tutorial outlines how to join TrueNAS to an Entra ID without an on-premises domain.

Integrating third-party software or services means data can go to a third-party commercial vendor not directly affiliated with iXsystems. Third-party services are configured and maintained by the end user and not supported by iXsystems. Consult third-party vendor documentation, support, and/or bug reporting procedures for any functionality issues in third-party software.

Preparing Entra Domain Services

To join TrueNAS to Entra ID domain services, you need an active Azure account with Entra ID and Entra Domain Services enabled and configured as described in Microsoft documentation.

After initial configuration of the domain:

  1. In the Entra admin center, go to the Microsoft Entra Domain Services Overview tab for your managed domain.

    Record the domain name. Click Properties under Settings and record the IP Address on virtual network addresses. Save these for later.

  2. Go to Security Settings and configure as shown.

    Click for Details
    TLS 1.2 Only ModeEnable
    NTLM v1 AuthenticationEnable
    Password Synchronization from On-PremisesEnable
    NTLM Password SynchronizationEnable
    Kerberos RC4 EncryptionDisable
    Kerberos ArmoringEnable
    LDAP SigningEnable
    LDAP Channel BindingEnable
  3. Create a site-to-site VPN gateway.

    Entra ID domain services uses hard-coded network addresses and a bundled DNS server, so a VPN is needed to ensure proper DNS resolution. There are numerous possible solutions for this purpose. iXsystems does not suggest or support a specific third-party VPN service. For one option, see Tutorial: Create a site-to-site VPN connection in the Azure portal from Microsoft.

Configuring TrueNAS

Edit network configuration to enable TrueNAS to reach the Entra ID domain services instance and then join the domain.

  1. Configure network connections. Go to Network and click Settings on the Global Configuration widget to open the Edit Global Configuration screen.

    Enter the domain name from Entra ID domain services in Domain.

    Enter the Entra IP Address on virtual network, recorded above, as a nameserver to route connections to the Entra domain services DNS server.

  2. Confirm connectivity. Connect to a local TrueNAS shell or SSH session and enter the ping EntraDomain command, where EntraDomain is the domain name entered above. Verify the ping is successful.

    If the ping fails (click to expand)
    1. Go to Network and click Settings in the Global Configuration window.
    2. Ensure the DNS Servers and Default Gateway settings match the connection to the Entra domain.
  3. Join the domain.

    a. Go to Credentials > Directory Services and click Configure Active Directory to open the Active Directory screen.

    b. Enter the Entra domain name in Domain Name and the administrator account credentials in Domain Account Name and Domain Account Password.

    c. Select Enable to attempt to join the domain immediately after saving the configuration.

    d. Click Save.

    TrueNAS can take a few minutes to populate directory information after configuration. To check the join progress, open the Task Manager in the upper-right corner. TrueNAS displays any errors during the join process in the Task Manager.

  4. Verify domain users and groups are available.

    Go to Datasets and select any existing non-root dataset from the dataset tree table. Click Edit on the Permissions widget to open the permissions edit screen for the dataset.

    Use the User and Group dropdown menus to ensure domain accounts are present.