TrueNAS SMB Shares with Active Directory: Enterprise File Sharing

File shares are a cornerstone of every enterprise IT environment. Whether project folders, department drives, or personal home directories — access must be fast, secure, and centrally managed. TrueNAS with SMB and Active Directory integration delivers exactly that: enterprise-grade file sharing built on ZFS, without licensing costs for proprietary storage systems.

This article shows how to join TrueNAS to an existing Active Directory domain and configure SMB shares with granular permissions.

Why SMB with Active Directory?

SMB (Server Message Block) is the standard protocol for file sharing in Windows environments. Without Active Directory, you would need to maintain local users on the TrueNAS system — a nightmare with 50 or 500 employees. AD integration brings decisive advantages:

• Centralized user management: Users and groups are maintained exclusively in Active Directory. No duplicate accounts, no manual synchronization.
• Single sign-on: Employees log in to the domain once and access all shares without entering their password again.
• Granular ACLs: Windows ACLs (Access Control Lists) enable permissions down to the file level — far more granular than POSIX permissions.
• Audit capability: Who accessed which file and when? With AD integration, access can be logged on a per-user basis.

Prerequisites

Before TrueNAS can join the domain, three fundamental prerequisites must be met:

DNS Configuration

TrueNAS must be able to resolve the domain controller via DNS. Enter the IP address of your AD DNS server as the primary DNS server on the TrueNAS system:

Network > Global Configuration
  Nameserver 1:  10.0.1.10 (Domain Controller)
  Domain:        company.local

Verify name resolution beforehand via the shell: nslookup company.local must return the domain controller’s IP. Incorrect DNS configuration is the most common cause of failed domain joins.

Time Synchronization (NTP)

Kerberos — the authentication protocol behind Active Directory — tolerates a maximum time deviation of five minutes. Configure TrueNAS to synchronize time from the domain controller:

System > General > NTP Servers
  Server:  10.0.1.10 (Domain Controller)

Domain Controller

A functioning Active Directory domain controller running Windows Server (2016 or newer) is required. The account used for the TrueNAS domain join needs permissions to create computer objects in the target OU.

Joining TrueNAS to Active Directory

The domain join is configured under Directory Services > Active Directory:

Directory Services > Active Directory
  Domain Name:    company.local
  Domain Account: truenas-join (service account with join permissions)
  Domain Password: ********
  Enable:         checked

After clicking Save, TrueNAS joins the domain. Check the status under Directory Services: the state must show Healthy. In Active Directory, TrueNAS appears as a computer object in the default Computers OU (or your configured OU).

Important: Use a dedicated service account for the domain join — never a personal admin account. This ensures the join persists even when the admin changes their password.

Setting Up SMB Shares with ACLs

Create a Dataset

First, create a ZFS dataset for the share. The critical point: set the Share Type to SMB so TrueNAS automatically applies the correct ACL settings.

Storage > Pools > [Your Pool] > Add Dataset
  Name:        department-finance
  Share Type:  SMB
  Case Sensitivity: Insensitive (Windows-compatible)

Create the Share

Sharing > Windows Shares (SMB) > Add
  Path:         /mnt/tank/department-finance
  Name:         Finance
  Purpose:      Default Share
  Enable:       checked

Configure Permissions

After creating the share, set the ACLs on the dataset. Navigate to Storage > Pools > Dataset > Edit Permissions and switch to the ACL Manager:

Owner:         COMPANY\domain-admins
ACL Entries:
  COMPANY\GRP-Finance        — Full Control
  COMPANY\GRP-Finance-RO     — Read & Execute
  COMPANY\Domain Admins      — Full Control

Planning Permissions Correctly: Groups Not Users

The most important rule for sustainable permission structures: assign permissions exclusively to groups, never to individual users. In practice, the AGDLP principle works best:

• Account is a member of a Global group
• Global group is a member of a Domain Local group
• Domain Local group receives the Permission on the share

When an employee changes departments, you only modify the group membership in AD — not the ACLs on the storage. With 20 shares and three permission levels each, that is the difference between five minutes and an hour of administrative effort.

Home Directories: Personal Drives

TrueNAS supports automatic home directories for AD users. Enable the option in the SMB share configuration:

Sharing > Windows Shares (SMB) > Add
  Path:         /mnt/tank/homes
  Name:         homes
  Purpose:      Home Directories
  Use as Home Share: checked

On first access, TrueNAS automatically creates a subdirectory with the AD username. Via Group Policy (GPO), you can map the home drive as H:\:

User Configuration > Preferences > Windows Settings > Drive Maps
  Drive:   H:
  Path:    \\truenas\homes
  Reconnect: checked

Shadow Copies with ZFS Snapshots

A major advantage of TrueNAS: ZFS snapshots are automatically exposed as Windows shadow copies. Users can restore deleted or overwritten files themselves — via right-click > Properties > Previous Versions.

Configure periodic snapshots under Tasks > Periodic Snapshot Tasks:

Dataset:      tank/department-finance
Lifetime:     2 weeks
Schedule:     Hourly (business hours), daily (overnight)
Naming:       auto-%Y-%m-%d_%H-%M

Shadow copies drastically reduce helpdesk tickets for file restores and offload individual restore requests from your backup system.

Performance Tuning

SMB Multichannel

SMB Multichannel uses multiple network connections in parallel, increasing both throughput and fault tolerance. Prerequisite: TrueNAS and the clients must have at least two network interfaces in the same subnet.

SMB Multichannel is enabled by default in TrueNAS SCALE. Verify on the client side with PowerShell:

Get-SmbMultichannelConnection -ServerName truenas

Jumbo Frames and Networking

For maximum throughput with large files:

• MTU 9000 on all participating interfaces and switches
• Dedicated storage VLAN for SMB traffic
• 10 GbE or faster — with 50+ concurrent users, 1 GbE becomes a bottleneck

Common AD Join Issues

• DNS resolution failure: TrueNAS cannot find the domain controller. Check nslookup and ensure the AD DNS server is configured as the primary DNS.
• Time deviation too large: Kerberos rejects authentication with more than five minutes of drift. Point NTP to the domain controller and verify synchronization.
• Wrong account or insufficient permissions: The join account needs the right to create computer objects in the target OU. A regular user account is not sufficient.
• Reverse DNS missing: Some AD configurations require a functioning PTR record for the TrueNAS IP. Create the entry in the reverse lookup zone.
• SMB service not starting: After the domain join, the SMB service must be active and set to auto-start under Services.

Monitoring with DATAZONE Control

File shares are business-critical — an outage means immediate productivity loss. With DATAZONE Control, we monitor the entire SMB infrastructure:

• Share availability: SMB service status and AD connection state
• Storage capacity: Dataset usage, snapshot consumption, pool utilization
• Performance metrics: IOPS, throughput, latency on SMB shares
• ZFS health: Scrub status, checksum errors, disk SMART values

Threshold-based alerts provide early warning — before a full dataset blocks access for an entire department.

Conclusion

TrueNAS with Active Directory integration delivers enterprise file sharing without enterprise pricing. SMB shares with Windows ACLs, automatic home directories, shadow copies through ZFS snapshots, and SMB Multichannel for performance — these are features typically found only in expensive proprietary systems.

The key lies in preparation: DNS and NTP must be correct, permissions belong on groups not users, and without monitoring, a small disruption quickly becomes a major problem.

---

Looking to deploy TrueNAS as your central file sharing solution in an Active Directory environment? Contact us — we plan and implement your SMB infrastructure from AD integration to monitoring.