Use Azure AD Domain Services mode to integrate the system into your Azure AD Domain Services managed domain.  To apply share-level access permissions settings, users must be imported in the Users tab.


Before Joining

In order to use Azure AD Domain Services with Morro CacheDrives, all CacheDrives must be able to access the AAD DS:

  • Using VPN or SDN connection.
  • Use Morro Edge service, which can virtually and securely connect all of your sites including the cloud.



The available options are:

  • DNS Realm - The FQDN of your domain. The first part of the DNS Realm must be the NetBIOS domain name. (Example: DNS Realm is company.local, where the NetBIOS domain name is "company".)
  • NetBIOS Domain Name - If the NetBIOS domain name differs from the suffix of the FQDN, then the NetBIOS name for the user account needs to be included.
  • Computer OU (optional) - If specified, computer accounts will be created in the specified OU to register Morro CacheDrives. If not specified, computer accounts will be created in the default Computers container.
  • Allow Web Access For - The users are allowed to access the Team Portal.  The five options are All Domain Users, Users explicitly imported, Users in specified OU, Users in specified groups, and Disallow all users.  By default, all AD users can access the Team Portal using a browser or the Morro Connect app.  Access can be restricted by specific OUs, groups, or by users that are imported into the Morro Data account.
     Please note that SMB Access to shares is managed by Azure AD Domain Services.
  • Domain Administrator and Password are the credentials of the AAD DS Domain user account used to add the CacheDrives to the domain. To join the domain service, the user needs to be assigned the Contributor role of Azure AD Domain Service. Also when you encounter authorization issues, you can try with Domain Administrator to isolate the problem. User name can be specified in the format "Username", or "DOMAIN\Username".
  • SWITCH TO AZURE AD DOMAIN SERVICES MODE - Configures all devices to use Azure AD Domain Services for authentication. It will also create a computer account for each Morro CacheDrive in the domain. If Computer OU is specified, the computer accounts will be placed in that OU. Diagnostic errors will show if not all devices join the domain successfully after 60 seconds.



After Joining

Use the chart near the top of the page to check the current domain status for each device in the account.  



The chart shows if all CacheDrives joined the AD domain successfully. Users can access the CacheDrives with SSO (Single- Sign-On) by using domain credentials from their PC.

  • "Joined" - Shows that the CacheDrive has successfully created a computer account in the domain.
  • "Status" - Confirms the computer account is active and the network connection to the domain is healthy. 
  • Check - Tests if the participation in the domain is valid. 
  • Domain Info - Displays LDAP Server IP address, KDC Server IP address, and server time.
  • Join Domain - When a CacheDrive is unable to join the domain, diagnose and fix the reported errors and click "Join Domain" to try again. 
  • Rejoin Domain  - When a joined CacheDrive has a problem and "Status" reports errors, use this button to join the CacheDrive to the domain again.
  • Show Errors - Reports errors (see table below) when a CacheDrive is unable to join the domain or a joined CacheDrvie has a problem. 
     
    Common Errors

    Error Message

    Description

    Realm not found, please check DNS

    The specified realm cannot be resolved. Please check the DNS configuration and make sure Morro CacheDrive can resolve the specified realm.

    Cannot Join Domain, please check credential

    Check specified Username and Password.


After successfully joined to the domain, you probably need to set Share permission based on domain accounts.


Use the Rejoin button in the lower right part of the screen to repeat the AD join process.  This can sometimes solve issues with AD integration.  


SWITCH TO MORRO USERS MODE: Un-join CacheDrives from the domain and authenticate users in Morro Users mode. Users and groups information imported from the domain can be kept as an option.



OU Format

OUs should be entered from the top level to the bottom without RDNs and a '/' as the level delimiter.


To enter a top-level OU, simply enter the OU name, i.e. "Computers".


An example of a nested OU: If the top-level OU is "Company", and under "Company" is another OU named "Servers", enter "Company/Servers" in the field.


Leading and trailing whitespace characters are not allowed in OU names (Windows also will not allow this).


If the OU contains a '/' or '\' in the name, it must be prefixed with a '\'.  For example, if the OU name is "slash/slash\slash", then it must be entered as "slash\/slash\\slash".


Special characters may not be supported even if they are allowed in Windows.


In some cases, depending on the Windows server locale setting, browser used, and client PC OS used, '/' may be interpreted as another character (for example, we saw the currency symbol for Japanese Yen or Chinese Yuan in one instance).  We recommend avoiding the '/' character when naming OUs.



Notes

  • CacheDrives will get a user's group memberships on login.  If group memberships are modified on the domain while the user is logged in, the changes will not take effect for the particular user until he logs in again.