Disabling Hybrid join for DCs Servers 2019
I am trying to unjoin Entra Hybrid join for domain controllers.
I did following but didn't helped.
1) DSREGCMD /leave
2) disabled workplace join from task scheduler
3) added deny workplace join reg key.
Forum Discussion
- Good afternoon!
When you run dsregcmd /status is it still saying that it's Azure AD Joined?
You can run the /debug option when running dsregcmd /leave to get additional insight while running it, so dsregcmd /debug /leave
Typically it has be ran twice, the first time kicks off the process to remove the NGC for the current user, and then the 2nd time finishes it off.
You'll want to make sure that any server you don't want hybrid joined is no longer being synced through Entra Connect sync, so for domain controllers you can do by unselecting the Domain Controllers OU from the Domain/OU filtering objects in Entra Connect.
If then you run dsregcmd /status it should return 'AzureADJoined : NO' at the top, which at that point it should only be domain joined. In my experience that device object will still exist in the Azure portal as a 'Hybrid Azure AD Joined' device regardless of whether the device is actually joined at that point so you have to delete the device object in the azure/entra portal if you dont want it showing up there anymore.JeremyWallace Good Morning and Thanks for sharing this.
Are there any possible impacts after deselecting the DC Server OU filtering object in Entra Connect SyncEngine?
