Issue with Hybrid join error 0x801c001d

Question

I have a problem with one device joining hybrid AD

Running dsregcmd /debug as system returns the following:

TenantInfo::Discover: Failed reading registration data from AD. Defaulting to autojoin disabled 0x80070005
DsrCmdJoinHelper::Join: TenantInfo::Discover failed with error code 0x801c001d.

Looking up this code, MS say that this means there is a problem with the infrastructure for Hybrid Join, however there are a number of other devices on my domain that have not had this issue and have connected fine.

Event Viewer is shows a 307 and 304 error, both with the error code above

It also shows an information message with the following

Unable to retrieve the local computer's name in the specified format NameFullyQualifiedDN. Error: Access is denied.

And another information message with the following

The system cannot find the file specified.. Operation: RegOpenKeyExW. Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo\49e3b308-5bf2-4e97-b162-332a69a10385.

I am at a bit of a loss as to what is happening on this device, and any help would be appreciated.

Answer 1

@Dr Fox Event viewer for user device registration will show you most of the details about the process at which this is failing. If other devices are able to do a hybrid join successfully, check if there is any difference between the working ones and the non working ones.

Does the non-working follows a different network and is a different place. make sure that the device can access following URLs from internet :

https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com

Looking at the error message which you provided, it seems its failing in discovery phase and is not able to find the Service connection point for the registration. So you need to make sure that the device is in correct line of sight with DC to fetch all those details over.

If you need any further help, you can drop an email to azcommunity@microsoft.com with subject "Atten - Vipul" We can try to help you offline.

Answer 2

I'd strongly recommend checking this article from MS:
https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual

specifically checking your SCP record exists and is accurate using:

You can use the Get-ADRootDSE cmdlet to retrieve the configuration naming context of your forest. For a forest with the Active Directory domain name fabrikam.com, the configuration naming context is: CN=Configuration,DC=fabrikam,DC=com In your forest, the SCP object for the autoregistration of domain-joined devices is located at: CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context] Depending on how you have deployed Azure AD Connect, the SCP object might have already been configured. You can verify the existence of the object and retrieve the discovery values by using the following Windows PowerShell script: PowerShellCopy

> $scp = New-Object System.DirectoryServices.DirectoryEntry;

$scp.Path = "LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=fabrikam,DC=com";

$scp.Keywords;
> ```
> 
> 

Answer 3

Whatever this breakdown is, it broke my test environments. I have multiple machines with this error. Need a fix! They are not even supposed to be hybrid joined!