Forum Discussion
error_missing_device when joining a domain with hybrid join config
I just inherited this setup, and I've never done a hybrid environment before. I'm just looking for the next clue in the mystery. I created a VM. I ran dsregcmd /status and it was clean, as expect...
"The error suggests that the device object has not synced in Entra ID. "
rahuljindal That was the case, but I still don't understand the error. What made it think it was SUPPOSED to sync to Entra ID? In other words, if the sync was never set up, why the error? Like, why doesn't my personal laptop get this error? It's not synced in Entra ID. See what I'm getting at?
I am not sure what you mean, but the sync is really a registration with Entra ID. There are some moving elements running in the background but at a high level your on-prem device objects need to be allowed to sync with default device & user certificate attributes through the Entra ID connect sync. Then you need to decide whether to provide details of your Azure tenant to the devices using SCP or targeted deployment involving GPO. As the final step your devices need to be allowed to go over internet to connect to relevant Azure URLs to register with service and pull down user certificate. This is where the device object in Entra ID is checked for. If missing, the user certificate will not come down to the device. Once satisfied, the device needs line if sight to DC to complete the handshake and finish the hybrid join process. Hope this helps.
- Imagine I said I had an error that said my computer won't power on and you said "Did you power it on". So then I turned it on and it worked. Wouldn't you be curious about the initial error? That's how I feel about this sync error. Why was there a sync error if the sync had never been set up correctly?
- There was an error because you didn’t have the configuration in place all the way. It is like any other thing. If your engine oil light comes on and you fix it by putting in more engine oil then the indicator did its job. 😊
- | you didn’t have the configuration in place all the way
Right, that's what I'm trying to figure out. What part of the configuration was complete? Why was it trying to join if it wasn't in an OU with the policy?