Basically, the MyBook “advanced” interface allows for you join the device to the domain and to specify AD users and groups for folder permission, but they won’t help you troubleshoot when it doesn’t work. And it doesn’t work by default on a Windows 7 or OSX machine.
So here’s the 2 issues most people run into when you do a Google search for ‘MyBook domain’, and how to fix them.
Machine can’t be added to the domain
- In the advanced web interface on the MyBook, click ‘System’ – ‘General Setup’. Check out the time – it’s probably wrong.
- The MyBook is getting the time by default from a global time server by default, pool.ntp.org. For whatever reason, the MyBook seems to get the correct time from the NTP server, then screw it up when applying it to itself, making the time be off anywhere from 30 minutes to 4 hours.
- When you try to add the MyBook to the domain, the MyBook sends the time along with that request. The domain sees this incorrect time and assumes something is wrong and won’t let the MyBook join the domain.
- Change the ‘NTP Time Server’ field from pool.ntp.org to the IP address of whatever domain controller you’re going to send the request to. At least then they’ll agree on the time, even if it’s not perfectly accurate.
- In some domains, the MyBook needs to also be able to reference itself by name, which means you need to make an A record and its corresponding Reverse Lookup record on your DNS server. You probably don’t want to have to refer to a folder share as “\\10.10.1.1\sharename” anyway when you can have something more memorable like “\\WD-MyBook\sharename”, so you might as well go ahead and make this record on your network’s DNS server (usually the domain controller) to keep you and the MyBook happy.
You should be able to now join the MyBook to the domain at this point.
- Click ‘Network’ – ‘Workgroup’, and enter
- ‘Domain Name’ is the Fully Qualified Domain Name, or FQDN. If you don’t know what this is, right-click ‘My Computer’ on your machine and click ‘Properties. In Windows 7, the FQDN is listed in the ‘Computer name, domain, and workgroup settings’ next to ‘Domain:’. It’ll say something like domain.com or domain.local.
- Leave NetBIOS blank. If this works, it’ll fill that in automatically. If this doesn’t work, filling that field in probably isn’t your problem.
- Domain controller IP address: this is the IP address of the domain controller that the MyBook should get its time from. It’s also hopefully the same machine that you entered the A record into.
- The last 2 fields are for a username and password of someone authorized to add computers to the domain. You just enter in the username and password, you don’t need to enter the username as ‘DOMAIN\username’ or anything.
After the device is on the domain:
- Create a shared folder. (‘Storage’ – ‘Folder Shares’ – click the page icon with a “plus” on it) Fill in the share name, be sure to leave ‘Setup access control after creating this share’ is checked and click ‘Submit’. The MyBook will take forever to think about this, just let it be – it can take 30 seconds or so.
- Now you’re asked who gets access to this new shared folder on a horribly-laid-out page.
- On the left you’ll see 2 windows: the top one has all of your domain users, and the bottom one has all of your domain groups. It only shows the first 18 characters or so until the scroll bar cuts off the names of the users, so hopefully your domain name is short enough so you can tell who is who. (What’s up with that, WD?)
- On the right are 6 boxes. They’re labeled stupidly, so just so you know, the first 3 boxes are for full, read only or no access for AD users, and the last 3 are exactly the same thing, but for AD groups. I can’t think of how to make this interface more confusing, but it seems to function, so…whatever.
- Click ‘Submit’ and you’re done.
Windows 7 machines can’t access shares controlled by AD permissions
As it turns out, Windows XP handles passing your AD credentials to the MyBook just fine. Windows 7, not so much. Windows 7 is passing your username and password to the MyBook incorrectly, and when it breaks, it’ll ask you for a domain username and password that has permissions to access the folder. You probably have access to this folder, it’s just asking because it knows something went wrong and is assuming you don’t have access. You can type valid usernames and passwords into this window all day long and it won’t work, whether you have access or not.
Before the Windows XP holdouts in the office snicker too loudly, this is an easy-ish fix.
- The problem here is that Windows 7 is trying to work with the SAMBA protocol of the MyBook. Except someone at Microsoft decided that it would be a good idea to ship Windows 7 and (at least on my 64-bit edition) not specify the way in which Windows 7 should respond to SAMBA requests. SAMBA is a protocol used by non-Microsoft file servers, so…intentional? Who knows.
- Tell Windows 7 how to talk to non-Microsoft file servers by clicking ‘Start’ -> ‘run’ -> type “secpol.msc” and hit enter. Hopefully you have the permissions to do this. If not, show your IT department this section and they’ll see you’re not trying to do anything too ridiculous, just trying to make Windows 7 play nice with SAMBA. (Hey IT folks – maybe you want to include this as a GPO setting for any folks that use non-MS fileservers)
- Click ‘Local Policies’ -> ‘Security Options’ -> ‘Network Security: LAN Manager Authentication’
- If you’re anything like me, the drop-down was blank. You actually can’t make this drop-down be blank through this interface, so obviously something is wrong. According to Microsoft’s documentation, ’NTVLM2 responses only’ is supposed to be selected by default, but this won’t help you. To talk to the MyBook correctly, you need to use ‘LM and NTLM – use NTLMV2 session security if negotiated’. Change to this setting and click ‘OK’.
Now, when you access the share at \\MyBook\share, your computer will automatically pass the domain username and password you used to log on to your computer. If you have permissions to this folder, it’ll just open. If you don’t have access, it’ll ask for a username and password of someone in your domain that does.