Forum Discussion
Enrolments referencing old Intune Connector Server for something
Hope all is well.
A couple of weeks ago, we moved our Intune Connector to a new server. The new server name has already been showing in the Microsoft Intune Admin Centre as "active" and it's healthy, latest version and syncing since it was installed on the new Intune Connector server.
The old Intune server has already passed the 30 days and have been automatically removed from the Microsoft Intune Admin Centre.
Enrolments have been going very well.
Today we shutdown the old Intune Connector server for decommissioning and suddenly the enrolments failed, until we powered the old Intune Connector server back up then enrolments went ahead again successfully.
When I check the Windows Application logs I see the logs for the successful enrolments on the correct server, the new one.
My question is, does anyone perhaps have any idea what would still be referencing the old Intune Connector server which will cause enrolments failures when we shut it down?
Thank you
9 Replies
Hi Dionysis
Thank you for the response and advice.
1. Check AD Service Connection Points (SCP) for any lingering references to the old server = I checked this now and cant see any references to the old server
2. Verify DNS records / CNAMEs that may still point to the old machine = the new server has a brand new IP and its own DNS record, I have to keep the old server DNS entry as we see now we still need it for some reason and don't want to fiddle with it as the client is currently doing enrolments.
3. Review event logs on both servers during enrolment to confirm which connector is being called = the new server is being called
4. Reinstall or repair the Intune Connector on the new server to force refresh of all references = cant do this now as the client is enrolling devices
5. After confirming cleanup, decommission the old server again and test with a new device enrolment = cant do this now as the client is enrolling devicesI’ve been going through your troubleshooting steps and the other reviews to understand the issue, and it looks like you’ve already checked quite a bit.
Just wanted to check—have you also looked into whether the old certificate is still issued or revoked in your Certificate Authority, and are there any proxies or firewalls doing SSL inspection that might still be using the old certificate?
Good luck!
Hi Bogdan
Thank you for the advice, I have checked the Issued certificates now and I do not see any certificate referencing the old or the new Intune Connector Server, not sure if the fact that there is no certificate is a problem.
One thing I did notice yesterday is the old Intune server is in the SERVERS OU in AD where the new Intune server is not in the SERVERS OU, only the COMPUTERS OU in AD. I have informed the client about this and we plan to move the new Intune server to the SERVERS OU like the old one to see if it perhaps helps, not sure if it will. But we can only do it once they have completed their current batch of student enrolments which will probably still take another week, no changes allowed now.
Hello,
Thank you for sharing the details. From what you describe, it sounds like some enrolments are still being redirected to the old Intune Connector server despite it being removed from the Intune Admin Center. This can happen in a few scenarios:
- DNS / Service Connection Point (SCP) References
- The old server’s name or service records may still exist in AD or DNS (e.g., SCP under CN=Configuration, DC=... in Active Directory). New enrolments may attempt to resolve it first before falling back.
- Certificates or Tokens
- Devices that started enrolment before the switch might still be holding enrolment information pointing to the old connector until the process completes.
- Group Policy / MDM Auto-enrolment
- Check if there are any Group Policy Objects or local settings that still reference the old server’s name or connector path.
- Connector Cleanup
- While the Intune Admin Centre shows the new server as active and the old one removed, there may still be cached entries at the device level or within the Connector installation itself that need manual cleanup.
Recommended Actions
- Check AD Service Connection Points (SCP) for any lingering references to the old server.
- Verify DNS records / CNAMEs that may still point to the old machine.
- Review event logs on both servers during enrolment to confirm which connector is being called.
- Reinstall or repair the Intune Connector on the new server to force refresh of all references.
- After confirming cleanup, decommission the old server again and test with a new device enrolment.
This should help identify and eliminate dependency.
Is the configuration the same on the new server in terms of certificate type? Were the enrolments actually going through the new cert connector when it was running parallel to the old one?
Hi Rahul
Thanks for your input.
I check the certs now on old and new Intune server.
They look the same, except for the "valid from" dates, but that's expected.
When we moved over to the new Intune server the old Intune connector was uninstalled from the old server to clean it up, but yesterday when we finally shutdown the old Intune Connector server the enrolments stopped working.
Old Cert on old Intune Connector server:
New Cert on new Intune Connector server:
ThanksCRDP. Can you also confirm if the certificates were actually enrolling through the new connector when you removed the connector from the old server?
