Buffalo LinkStation Active Directory
We recently started deploying Buffalo Network Attached Storage (NAS) devices on our campus to various departments that are looking for additional, non-critical storage in a relatively secure environment. Since we run Active Directory on Windows Server 2008, we chose the Buffalo drives for their ability to interface with AD. The AD bind works well for user management, but I ran into a small problem with the second drive I configured, so I thought I’d share my experience.
The AD configuration screen looks like this, and can be accessed on the drive’s web interface by clicking on Network->Workgroup/Domain:
As you can see, there are several fields that need to be populated, but Buffalo’s FAQs are not very specific about what exact info needs to go in them. Here’s what worked for me:
ActiveDirectory Domain Name (NetBIOS Name) – the actual old-school domain name without the part
ActiveDirectory Domain Name (DNS/Realm Name) – the FQDN of the domain, i.e. the same thing as above but with the part
ActiveDirectory Domain controller Name – the machine name of one of your primary domain controller, without the .domain.com part (just the machine name)
Admin user and pass – Domain admin credentials without anything like domain\username
WINS Server IP Address – the IP of your WINS server (usually your PDC)
DriveStation DDR 3TB
Home Theater (BUFFALO TECHNOLOGY - HDD / ODD)
BUFFALO TECHNOLOGY HD-GD2.0U3 2TB DRIVESTATION DDR ULTRA FAST USB 3.0 HD W/ DDR3 RAM CACHE
PC Accessory (BUFFALO TECHNOLOGY - DAS)
Buffalo NAS Active Directory Integration Group Policy Changes
I am familiar with these devices and these particular changes. These settings do compromise security somewhat. I don't know that the practical risk is much better than the already sorry state of NTLMv2 and hash-based attacks, but it does increase risk somewhat. It would be nice if Buffalo spent some money addressing the need to downgrade security to support their devices.
To your second question: Anything you might do to create different security policy for different Domain Controllers (DCs) would result in an unsupported configuration and I'd advise against trying it. It might be possi…