Forum Discussion
Entra Hybrid Join - Problems with Server 2016 and userCertifiate
Dear Community,
I am having some troubles with the hybrid join of a group of servers (Windows Server 2016).
The basic problem is that Windows is not creating the required self signed certificate and therefore the AD attribute “userCertificate” is empty.
As we now, while it is empty, the objects are not getting synced to EntraID.
(A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute)
And I don’t find out, why this certificate is not created.
As mentioned, it affects only some Server 2016, which are our RDS Terminal Server.
All other Windows Server and Clients are successful synced and have a userCertificate (including other Server 2016). All our servers are VM, based on VMWare.
Some more words about these RDS Server:
- They are cloned from a VMWare template
- The deployment process is as follows:
o On a Master VM we install all updates / software
It is domain joined and has a userCertificate
o Master VM gets converted into a VMWare template
o New RDS TS are created from this template
With a configuration to reset SID and automatic domain join
The have no userCertificate
Test lab for troubleshooting
I created some new VMs to test and verify the behavior. Here is what I did:
- Installed a new Windows Server 2016 VM from DVD
- Installed all latest updates
- Converted it into a VMWare Template -> Srv2016_Template
This should be my new template for Server 2016 - Created new VM from this template: Srv2016RDSMaster
Used a configuration to generate new SID and automatic domain join
This should simulate my Master template for new Terminal Server
--> It has a “userCertificate” in its AD Object - Converted it into a VMWare Template
- Created new VM from this template: Srv2016RDS01
Used a configuration to generate new SID and automatic domain join
--> It has no “userCertificate” in its AD Object
Troubleshooting steps
Networking
- No proxy, direct Internet
- No DENY on our firewall -> Internet available
Verified that these URLs are accessible
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
https://autologon.microsoftazuread-sso.com
Active Directory and Infrastructure
- Service Connection Point (SCP) is set in the forest and has the tenant name and ID
(otherwise no computer would be synced) - GPOs are not linked to the OU in which the computers are
Local troubleshooting on the VM
- Scheduled Task for “Workplace Join” is enabled and runs
- dsregcmd /status
- EventLog – “Application and Service protocols” -> “Microsoft” -> “Windows” -> “user Device Registration”
Two errors, each time the Workplace Join task starts:
- Sysprep
Also tried on the VM a sysprep, rebooted, manually joined it to AD
--> Still no userCertificate
Tried the same again and deleted also the AD object
--> Still no userCertificate
- Activated TLS 1.2
Enable TLS 1.2 on servers - Configuration Manager | Microsoft Learn
-> no affect
- Articles I read and verified
Plan your Microsoft Entra hybrid join deployment - Microsoft Entra ID | Microsoft Learn
Configure Hybrid Azure AD Join - Everything you need to know
A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute
Troubleshoot Microsoft Entra hybrid joined devices - Microsoft Entra ID | Microsoft Learn
My conclusion
I guess it has something to do with Server 2019.
Why I am saying this:
I have tested the same setup with an old, existing Server 2019 template
(created “Master VM” -> converted into template -> created VM from this template)
--> all VMs have userCertificates in their AD object
So I would be glad if someone has ideas about it.
Thanks,
Chris