How do I create the CN "Device Registration Configuration" for Targeted Hybrid Azure AD Device Connection

Question

I am trying to follow the documentation for Targeted hybrid Azure AD deployment: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control and I'm running into issues once I create the GPO to change the registry keys that enable my device to be Azure AD joined. When I go to my device and run dsregcmd /status I see that it is failing in the AD Configuration Test during the discover phase.

     Diagnostics Reference : www.microsoft.com/aadjerrors
              User Context : SYSTEM
               Client Time : 2023-04-19 20:13:30.000 UTC
      AD Connectivity Test : PASS
     AD Configuration Test : FAIL [0x80070002]
        DRS Discovery Test : SKIPPED
     DRS Connectivity Test : SKIPPED
    Token acquisition Test : SKIPPED
     Fallback to Sync-Join : ENABLED

     Previous Registration : 2023-04-19 14:15:53.000 UTC
               Error Phase : discover
          Client ErrorCode : 0x801c001d

As far as I know all of the prerequisites are met except for one thing that I noticed was different between my setup and the documentation is that I don't have the CN CN=Configuration,DC=contoso,DC=com > CN=Services > CN=Device Registration Configuration created. When I open ADSI Edit on my AD server I do not see the CN for Device Registration Configuration. Could this be the reason my device is having issues connecting to Azure AD as a hybrid device? Is there a way to create this CN without enabling anything for the whole domain? I only want to connect my device to Azure AD hybrid initially so that I can do some testing. Any tips are appreciated, I reached out to Microsoft Azure support and the tech suggested local AD support will be the route to take which we don't have support for and any other resources I found on the web did not help me out.

Answer 1

Hello, I would recommend to make sure that the device can access following URLs from internet : https://enterpriseregistration.windows.net https://login.microsoftonline.com https://device.login.microsoftonline.com Looking at the error message which you provided, it seems its failing in discovery phase and is not able to find the Service connection point for the registration. So you need to make sure that the device is in correct line of sight with DC to fetch all those details over. Otherwise, I'd strongly recommend checking this article from MS: https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual specifically checking your SCP record exists and is accurate using: "You can use the Get-ADRootDSE cmdlet to retrieve the configuration naming context of your forest. For a forest with the Active Directory domain name, the configuration naming context is: CN=Configuration,DC=fabrikam,DC=com In your forest, the SCP object for the autoregistration of domain-joined devices is located at: CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context] Depending on how you have deployed Azure AD Connect, the SCP object might have already been configured. You can verify the existence of the object and retrieve the discovery values by using the following Windows PowerShell script: PowerShellCopy

$scp = New-Object System.DirectoryServices.DirectoryEntry; $scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com"; $scp.Keywords; " --If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Hi @Landon Huisenga ,

If you are not seeing the configuration options in the ADSI Editor, there are a few things I would recommend trying. One thing I would first suggest is to verify that the SCP is pointing to the correct tenant in the configuration. You can update the ADSI Edit setting manually or in Azure AD Connect step 7. https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join#managed-domains

Then, when you launch the ADSI Edit desktop application from the domain controller, you need to make sure that you are using an Enterprise Administrator account and have connected to the Configuration Naming Context of your domain. Note also that the device registration configuration object feature is compatible with a topology where the on-premises Active Directory is synchronized to multiple Azure AD directories.

Based on your error message, it sounds like the join might be failing. You can verify this by running dsregcmd /status and verifying that the join status shows the expected values.

Then you can look at the "Previous Registration" subsection in the "Diagnostic Data" section of the join status output. This section is displayed only if the device is domain-joined and unable to hybrid Azure AD-join. The "Error Phase" field denotes the phase of the join failure, and "Client ErrorCode" denotes the error code of the join operation. For more context, see the Troubleshooting guide here.

If you try these steps and are still running into this issue, feel free to send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak"), include your subscription ID, a link to this thread, and screenshots of your output, and we can look into this further.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar issues.

Answer 3

I never did get the targeted deployment to work, however I did work with an Azure AD & Intune expert and they ensured that there was no drawback from configuring the SCP with Azure AD Connect for everybody so that is the route I took and so far everything is working well, my devices are Hybrid Azure AD Joined.

I was reluctant at first to do it this way because in the Microsoft doc for the Hybrid Azure AD join instructions it does tell you they recommend you to use a targeted deployment with a pilot group at first however I did not have any issues going without a pilot test group.