Forum Discussion
Solved
Starting Wait for ODJ Blob
This is the status where I am having problems joining the device to Hybrid Autopilot domain. Not sure whether this is a connectivity issue between the laptop to the INTUNE connector? I can ping the d...
- The laptop has a connection to Endpoint Manager, gets the enrollment profile and the Intune connector is listening for Hybrid Join events. If needed, it will do an Offline Domain Join by sending the computer account blob to Endpoint Manager which sends it to the client. There is no direct connection between the laptop and Intune Connector needed,
Does the server which runs the Intune Connector have internet access to all the URLs mentioned in the deployment guide?
We have opened it to the internet the 2 Intune servers and I am testing now. But last night in the event log in ODJConnector I see the following:
We do not have a proxy server. I did check the config file in both the ODJConnector as per this document
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/intune-connector-for-ad-not-appear
and also
https://docs.microsoft.com/en-us/mem/intune/enrollment/autopilot-hybrid-connector-proxy
There is no proxy specified in the config file so that I could not even change it to FALSE. It is still spinning and not sure how long it takes for the ODJ blob file to download and set it it up? Usually an hour or less than that?
ODJRequestHandlingPipelineDownload_Failure: Failed to download ODJ requests.
InstanceId:We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."] [Exception Message: "DiagnosticException: 0x0000040F. HTTP request is unsuccessful."] [Exception Message: "odjHttp.Call failed. activityId=bf9d5706-4b99-4624-86ac-0886888328d6 parameters={"options":{"batchSize":null,"connectorBuildVersion":"6.2204.38.3","connectorName":"MMI-ICS01-CYH"}}"] [Exception Message: "Expected:OK Responded:503 (Service Unavailable)"] [Exception Message: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Service Unavailable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Service Unavailable</h2>
<hr><p>HTTP Error 503. The service is unavailable.</p>
</BODY></HTML>
"],
DiagnosticCode:CBEB90D3-5A20-4109-B8C9-CF3D6B32BF71,
DiagnosticText:Unknown_Error
We do not have a proxy server. I did check the config file in both the ODJConnector as per this document
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/intune-connector-for-ad-not-appear
and also
https://docs.microsoft.com/en-us/mem/intune/enrollment/autopilot-hybrid-connector-proxy
There is no proxy specified in the config file so that I could not even change it to FALSE. It is still spinning and not sure how long it takes for the ODJ blob file to download and set it it up? Usually an hour or less than that?
ODJRequestHandlingPipelineDownload_Failure: Failed to download ODJ requests.
InstanceId:We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: "DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again."] [Exception Message: "DiagnosticException: 0x0000040F. HTTP request is unsuccessful."] [Exception Message: "odjHttp.Call failed. activityId=bf9d5706-4b99-4624-86ac-0886888328d6 parameters={"options":{"batchSize":null,"connectorBuildVersion":"6.2204.38.3","connectorName":"MMI-ICS01-CYH"}}"] [Exception Message: "Expected:OK Responded:503 (Service Unavailable)"] [Exception Message: "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Service Unavailable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Service Unavailable</h2>
<hr><p>HTTP Error 503. The service is unavailable.</p>
</BODY></HTML>
"],
DiagnosticCode:CBEB90D3-5A20-4109-B8C9-CF3D6B32BF71,
DiagnosticText:Unknown_Error
This process is pretty fast, the intune connector gets a request and creates and sends a blob almost immediately. You did open internet for testing completely now for the server running the Intune Connector? No errors in the firewall from that server when enrolling a client?
Do you have the Hybrid Azure AD Join profile assigned to the same group in which you assign a Domain Join Profile?
Do you have the Hybrid Azure AD Join profile assigned to the same group in which you assign a Domain Join Profile?
- That's the purpose, but your client needs to complete the domain join on the machine using the blob file. And it can only do so when in line of sight of the Domain Controllers of your domain.
- Isn't the purpose of Intune Connector for Offline Domain Join to make sure that it can get the domain information and join the domain? Isn't it the reason why this Blob is being send to the device? I am kinda confused on this.
- I guess firewalling issues, but you did change a few things now for your deployment. You could try the office again? And those legacy applications... Are the client/server based? Can you create remote apps from them using RDS? Where is the fileserver data, are you moving to Teams? So many questions making Azure AD or Hybrid Azure AD join the option to choose...
- We earlier tried another laptop from our office network being inside the office, even that did not go through. So, I am going to try one more time. Well the reason being that there are legacy applications and they want to have it Hybrid AD till we decide to move to Azure AD. How that solves am not sure, I have never done Hybrid AAD, I have come from an AAD environment which was totally managed by Intune.
- Then this is not something that is going to work out for remote users. You will have to either stage them at work or don't use hybrid join.
I think I asked you that question many topics and replies ago, why do you what to hybrid join them? You can access fileservers for example with key trust and kerberos tickets from there on out - I am testing from my home not in office network. These are machines that are going to be shipped to users locations and they just take it out of the box and join.
- That will never work, normal autopilot profiles will work of course but not hybrid join for the reasons in my reply above
- You can only deploy hybrid azure ad machines if they are a network on an office location with direct connection to your Domain Controller, you can't deploy machines at home. There's an exception to that rule, if you have a supported VPN client which can automatically connect to your network.. Then it also works, but the list of VPN suppliers that are supported isn't that big.
So... Can you deploy a windows 10/11 VM in your server network and try that just to see if that works? (Or a desktop/laptop at the office) Where are you testing now? - Well in the case OOBE devices they are not going to be on the network or on VPN, they are going to be joining using Wireless network at users home.
I think here is the problem. I see error Event ID 304 and 204 on user device registration event logs. Based on this it says that the device has to be on the internal network or on a VPN. These devices are not internal or in VPN, they are on independent users wireless network.
So, I am wondering whether there is a rule that should be in place for these devices to communicate to the domain controller? I see all the other things happening fine and the device is domain joined.
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
Step 4: Check for possible causes and resolutions
Pre-check phase
Possible reasons for failure:The device has no line of sight to the domain controller.
The device must be on the organization's internal network or on a virtual private network with a network line of sight to an on-premises Active Directory domain controller.- If the server which is running the connector service is in the same network/vlan... Then there should not be an issue, what do you see in the eventlog of the server in the OBJ eventlog?
And again... Can the machine you're deploying ping the domain controller when deploying? Is the hybrid join profile assigned to the same group (in which the computer is that you're deploying) and the domain join profile? - I have a Wireshark capture that was running on Intune server and am looking into it. Not sure about the FW, network person did not see anything there I suppose. I think it is possible that there is some issue between the Intune Connector and Domain controller. Any events or event ID that I would see on the DC regarding the blob or Intune specific?