Forum Discussion
error_missing_device when joining a domain with hybrid join config
I just inherited this setup, and I've never done a hybrid environment before. I'm just looking for the next clue in the mystery.
I created a VM. I ran dsregcmd /status and it was clean, as expected. No errors.
I joined our domain. I immediatley ran dsregcmd /status again, without even rebooting.
Previous Registration : 2024-01-30 20:53:16.000 UTC
Registration Type : sync
Error Phase : join
Client ErrorCode : 0x801c03f3
Server ErrorCode : invalid_request
Server ErrorSubCode : error_missing_device
Server Operation : DeviceRenew
Server Message : The device object by the given id (f6628439-35ae-43c8-969f-7780d1b8d48f) is not found.
Https Status : 400
Request Id : c3ba163b-fcd7-4d3e-8525-9fe3b82ec5bb
This happens to all workstations and as far as I can tell, has always happened. Devices do not show up in Entra as expected. The Azure AD Connector seems to be working as users do show up in M365 and Entra.
I'd like to focus on the errors above. Why is it saying "missing device"? What device is it looking for? Itself? Why? Why would it look for itself and not just create a new record (which is what I'm expecting)?
Any insight appreciated.
8 Replies
- The error suggests that the device object has not synced in Entra ID. Do the devices have a line of sight to DC? Have you included the user certificate in attributes for syncing in Entra ID connect synchronisation settings?
"The error suggests that the device object has not synced in Entra ID. "
rahuljindal That was the case, but I still don't understand the error. What made it think it was SUPPOSED to sync to Entra ID? In other words, if the sync was never set up, why the error? Like, why doesn't my personal laptop get this error? It's not synced in Entra ID. See what I'm getting at?
- I am not sure what you mean, but the sync is really a registration with Entra ID. There are some moving elements running in the background but at a high level your on-prem device objects need to be allowed to sync with default device & user certificate attributes through the Entra ID connect sync. Then you need to decide whether to provide details of your Azure tenant to the devices using SCP or targeted deployment involving GPO. As the final step your devices need to be allowed to go over internet to connect to relevant Azure URLs to register with service and pull down user certificate. This is where the device object in Entra ID is checked for. If missing, the user certificate will not come down to the device. Once satisfied, the device needs line if sight to DC to complete the handshake and finish the hybrid join process. Hope this helps.
- So I discovered that Azure AD connect was not set to sync the OU which computers reside in. So this explains why they are not showing up in Entra. Cool. But can you explain what, then, is trying to "sync" it which results in the errors in my original post?
