Forum Discussion

Collegious's avatar
Collegious
Copper Contributor
Nov 29, 2024

Entra Hybrid Join - Problems with Server 2016 and userCertifiate

Dear Community,

 

I am having some troubles with the hybrid join of a group of servers (Windows Server 2016).

The basic problem is that Windows is not creating the required self signed certificate and therefore the AD attribute “userCertificate” is empty.
As we now, while it is empty, the objects are not getting synced to EntraID.
(A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute

And I don’t find out, why this certificate is not created.

As mentioned, it affects only some Server 2016, which are our RDS Terminal Server.
All other Windows Server and Clients are successful synced and have a userCertificate (including other Server 2016). All our servers are VM, based on VMWare.

Some more words about these RDS Server:

  • They are cloned from a VMWare template
  • The deployment process is as follows:

o    On a Master VM we install all updates / software
It is domain joined and has a userCertificate

o    Master VM gets converted into a VMWare template

o    New RDS TS are created from this template
With a configuration to reset SID and automatic domain join
The have no userCertificate

 

Test lab for troubleshooting

I created some new VMs to test and verify the behavior. Here is what I did:

  1. Installed a new Windows Server 2016 VM from DVD
  2. Installed all latest updates
  3. Converted it into a VMWare Template -> Srv2016_Template
    This should be my new template for Server 2016
  4. Created new VM from this template: Srv2016RDSMaster
    Used a configuration to generate new SID and automatic domain join
    This should simulate my Master template for new Terminal Server

    --> It has a “userCertificate” in its AD Object
  5. Converted it into a VMWare Template
  6. Created new VM from this template: Srv2016RDS01

    Used a configuration to generate new SID and automatic domain join
    --> It has no “userCertificate” in its AD Object

 

Troubleshooting steps

Networking

Active Directory and Infrastructure

  • Service Connection Point (SCP) is set in the forest and has the tenant name and ID 
    (otherwise no computer would be synced)
  • GPOs are not linked to the OU in which the computers are

Local troubleshooting on the VM

  • Scheduled Task for “Workplace Join” is enabled and runs
  • dsregcmd /status

     

 

  • EventLog – “Application and Service protocols” -> “Microsoft” -> “Windows” -> “user Device Registration”

    Two errors, each time the Workplace Join task starts:

     



 

  • Sysprep
    Also tried on the VM a sysprep, rebooted, manually joined it to AD
    --> Still no userCertificate

    Tried the same again and deleted also the AD object
    --> Still no userCertificate

 

 

My conclusion

I guess it has something to do with Server 2019.
Why I am saying this:
I have tested the same setup with an old, existing Server 2019 template
(created “Master VM” -> converted into template -> created VM from this template)
--> all VMs have userCertificates in their AD object

 

So I would be glad if someone has ideas about it.

 

Thanks,

Chris

 

 

 

 

No RepliesBe the first to reply

Resources