Use Microsoft Entra Domain Services mode to integrate the system into your Microsoft Entra Domain Services managed domain. To apply share-level access permissions settings, users must be imported in the Users tab.


Before Joining

To use Microsoft Entra Domain Services, all CacheDrives must be able to access the ME-ID DS using one of the following methods:

  • A VPN or SDN connection.
  • The Morro Edge service, which can virtually and securely connect all of your sites including the cloud.



The available options are:

  • DNS Realm - The FQDN of your domain. The first part of the DNS Realm should be the NetBIOS domain name. For example, if the DNS Realm is "company.local", the NetBIOS domain name is "company".  If the first part of the DNS Realm is not the NetBIOS domain name, enter the NetBIOS domain name in the NetBIOS Domain Name field.
  • NetBIOS Domain Name - If the NetBIOS domain name differs from the first part of the FQDN, enter the NetBIOS domain name for the user account here.
  • Computer OU (optional) - If specified, computer accounts will be created in the specified OU to register Morro CacheDrives. If not specified, computer accounts will be created in the default Computers container.
  • Allow Web Access For - The users that are allowed to access the Team Portal.  The five options are All Domain Users, Users explicitly imported, Users in specified OU, Users in specified groups, and Disallow all users.  By default, all AD users can access the Team Portal using a browser or the Morro Connect app.  Access can be restricted by specific OUs, groups, or by users that are imported into the Morro Data account.
    Please note that SMB Access to shares is managed by Microsoft Entra Domain Services.
  • Domain Administrator and Password - The credentials of the ME-ID DS Domain user account used to add the CacheDrives to the domain. To join the domain service, the user needs to be assigned the Contributor role of Microsoft Entra Domain Services.
    Note: If you encounter authorization issues, try using the Domain Administrator account to isolate the problem. The user name can be specified in the format "Username" or "DOMAIN\Username".
  • SWITCH TO MICROSOFT ENTRA DOMAIN SERVICES MODE - Configures all devices to use Microsoft Entra Domain Services for authentication. It will also create a computer account for each Morro CacheDrive in the domain. If Computer OU is specified, the computer accounts will be placed in that OU. An error message will appear if any of the devices fail to join the domain after 60 seconds.



After Joining

Use the chart near the top of the page to check the current domain status for each device in the account.  



The chart shows the following information:

  • "Joined" - Shows that the CacheDrive has successfully created a computer account in the domain.
  • "Status" - Confirms that the computer account is active and the network connection to the domain is healthy. 
  • Check - Click Check to verify that the participation in the domain is valid. 
  • Domain Info - Click Domain Info to show the LDAP server IP address, KDC server IP address, and server time.
  • Join Domain - When a CacheDrive is unable to join the domain, diagnose and fix the reported errors, then click "Join Domain" to try again. 
  • Rejoin Domain  - When a joined CacheDrive has a problem and "Status" reports errors, click Rejoin Domain to join the CacheDrive to the domain again.
  • Show Errors - Show the errors associated with a failed CacheDrive join or CacheDrive join issues.  See below for common join errors. 
     
    Common Errors

    Error Message

    Description

    Realm not found, please check DNS

    The specified realm cannot be resolved. Please check the DNS configuration and make sure the Morro CacheDrive can resolve the specified realm.

    Cannot Join Domain, please check credential

    Check the specified username and password.


After successfully joining to the domain, set Share permissions based on domain accounts.  Users can access the CacheDrives with SSO (single sign-on) by using domain credentials from their PC.


Use the Rejoin button in the lower right part of the screen to repeat the AD join process.  This can sometimes solve issues with AD integration.  


SWITCH TO MORRO USERS MODE: Un-join CacheDrives from the domain and authenticate users in Morro Users mode. User and group information imported from the domain can be kept as an option.



OU Format

OUs should be entered from the top level to the bottom without RDNs and a '/' as the level delimiter.


To enter a top-level OU, simply enter the OU name, i.e. "Computers".


An example of a nested OU: If the top-level OU is "Company", and under "Company" is another OU named "Servers", enter "Company/Servers" in the field.


Leading and trailing whitespace characters are not allowed in OU names (Windows also will not allow this).


If the OU contains a '/' or '\' in the name, it must be prefixed with a '\'.  For example, if the OU name is "slash/slash\slash", then it must be entered as "slash\/slash\\slash".


Special characters may not be supported even if they are allowed in Windows.


In some cases, depending on the Windows server locale setting, browser used, and client PC OS used, '/' may be interpreted as another character (for example, we saw the currency symbol for Japanese Yen or Chinese Yuan in one instance).  We recommend avoiding the '/' character when naming OUs.



Notes

  • CacheDrives will get a user's group memberships on login.  If group memberships are modified on the domain while the user is logged in, the changes will not take effect for the user until he logs in again.