Unable to Sync Windows Server 2012 R2 Devices to Azure AD through AAD-Connect

Question

Unable to Sync Windows Server 2012 R2 Devices to Azure AD through AAD-Connect

Zach 116

We are trying to sync our Windows Server 2012 R2 devices to Azure AD so we can leverage MDE and use MEM to push policy.

The devices were added in scope for OUs in AAD-Connect app, and I can see the Adds happening but I don't seem them show under the Azure Active Directory Portal Devices section.

we followed documentation here: [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt?view=o365-worldwide#instructions-for-applying-computer-join-rule-in-aad-connect

this was needed for us to be able to get 2012 R2 devices to sync, but the issue still persists, and it looks like the info on metaverse object properties shows these devices as ("cloudFiltered" = true) which is what we think is causing the issue even after changing the rule and a full sync.

is there something wrong with the rule? or any further change we need to make?

Answer 1

Thameur-BOURBITA 15,811

it seems that problem comes from the value of [usercertificate] attribute in the computer object of the server Windows 2012 R2. You should check it and regenerate new one if possible. the following link can help you to generate new value on usercertificate attribute:

Hybrid Azure AD Join – Fixing error message: Server error: The user certificate is not found on the device with id:

Please don't forget to mark helpful answer as accepted*

Zach 116 Reputation points

2023-01-25T05:31:11.9066667+00:00

the link you have attached sends me to the Q&A post I made.

any chance you can re-post the link?
Thameur-BOURBITA 15,811 Reputation points

2023-01-25T07:57:15.05+00:00

Hi @Zach

Sorry for the mistake, : now the link is correct : Hybrid Azure AD Join – Fixing error message: Server error: The user certificate is not found on the device with id:

Please don't forget to mark helpful answer as accepted
Zach 116 Reputation points

2023-01-26T03:18:07.6033333+00:00

this is interesting, I tried to check the "usercertificate" under the metaverse object properties, and noticed the first sync did not have that attributed filled, then 7 hours later it appeared with a proper value and the "cloudfilted" attribute disappears and the device finally shows in Azure AD Portal and was able to get registered.

the only thing I did 3 hours after it was already in scope and a full sync had run, was onboard the device with Azure Arc PowerShell script using the MS generate script on the portal, but I don't understand how that would generate a user cert for it? have you ever seen this possibly? I couldn't really find anything online.
Thameur-BOURBITA 15,811 Reputation points

2023-01-26T10:09:10.9366667+00:00

Hi @Zach •

Glad to hear that your problem is fixed.

The userCertificate attribute value is populated by Hybrid Azure AD join process.

If you want get more details about Hybrid Azure AD join process, close this one after accepting the helpful answer and Open new thread about Hybrid Azure AD join to get more answer.

Thank you again for your feedback.

Please don't forget to mark helpful answer as accepted

Answer 2

Andy David - MVP 115.3K MVP

You see the adds in the connector? how about the export to Azure? Do see them there?

Any errors being generated in the Sync Manager

Zach 116 Reputation points

2023-01-24T22:10:23.6866667+00:00

when I do a metaverse search for that name of the device, I can only see connectors for the device being our on-premise domain, nothing from Azure AD connector.

when I check the Export the names show as there distinguishedName but with a long string of character although the Number of Adds is less in the export when compared to the import operation from our on-premise domain.

let me know your thoughts?

Answer 3

Thameur-BOURBITA 15,811

Hi

It seems that your server has been filtered by a synchronization rule in adconnect.

In the metaverse ,you can identify the rule which force the attribute "cloudFiltered" = true.

I will show how you can get the list of filter applied by this rule.

Once you identify the rule name , go to Synchronization Rules Editor

Synchronization Rule Editor Menu

Then select the rule identified in the first step then click on view :

Synchronization Rule Editor

Go to scoping filter , you will find all filter applied by this rule . Now you can identify which filter impacted your server

Filtre d’étendue des règles entrantes

Please don't forget to mark helpful answer as accepted

Zach 116

correct we can see the rule that i had cloned per MS doc regarding being able to get Windows Server 2012 R2 to be able to sync to Azure.

User's image

when we check the scoping filter it is empty.

the only change to this cloned rule was to add this portion under the transformations for "cloudFiltered"

  IsNullOrEmpty([userCertificate])
  ||
  (
    (InStr(UCase([operatingSystem]),"WINDOWS") > 0)
    &&
    (Left([operatingSystemVersion],2) = "6.")
    &&
    (Left([operatingSystemVersion],3) <> "6.3")
  )
  ||
  (
    (Left([operatingSystemVersion],3) = "6.3")
    &&
    (InStr(UCase([operatingSystem]),"WINDOWS") > 0)
    &&
    With(
      $validCerts,
      Where(
        $c,
        [userCertificate],
        IsCert($c) && CertNotAfter($c) > Now() && RegexIsMatch(CertSubject($c), "CN=[{]*" & StringFromGuid([objectGUID]) & "[}]*", "IgnoreCase")),
      Count($validCerts) = 0)
  ),
  True,
  NULL
)

this was from the MS doc: [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt?view=o365-worldwide#instructions-for-applying-computer-join-rule-in-aad-connect

any further thoughts?

Answer 4

Hello,

In most cases, this happens because an incorrect assignment into the AD group for the devices. If that has been checked correct, I can recommend to schedule a full sync to ensure that they are detected.

https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler#start-the-scheduler

--If the reply is helpful, please Upvote and Accept as answer--

Unable to Sync Windows Server 2012 R2 Devices to Azure AD through AAD-Connect

3 additional answers

Activity