Azure AD Connect
112 TopicsEntra Hybrid Join - Problems with Server 2016 and userCertifiate
Dear Community, I am having some troubles with the hybrid join of a group of servers (Windows Server 2016). The basic problem is that Windows is not creating the required self signed certificate and therefore the AD attribute “userCertificate” is empty. As we now, while it is empty, the objects are not getting synced to EntraID. (A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute) And I don’t find out, why this certificate is not created. As mentioned, it affects only some Server 2016, which are our RDS Terminal Server. All other Windows Server and Clients are successful synced and have a userCertificate (including other Server 2016). All our servers are VM, based on VMWare. Some more words about these RDS Server: They are cloned from a VMWare template The deployment process is as follows: o On a Master VM we install all updates / software It is domain joined and has a userCertificate o Master VM gets converted into a VMWare template o New RDS TS are created from this template With a configuration to reset SID and automatic domain join The have no userCertificate Test lab for troubleshooting I created some new VMs to test and verify the behavior. Here is what I did: Installed a new Windows Server 2016 VM from DVD Installed all latest updates Converted it into a VMWare Template -> Srv2016_Template This should be my new template for Server 2016 Created new VM from this template: Srv2016RDSMaster Used a configuration to generate new SID and automatic domain join This should simulate my Master template for new Terminal Server --> It has a “userCertificate” in its AD Object Converted it into a VMWare Template Created new VM from this template: Srv2016RDS01 Used a configuration to generate new SID and automatic domain join --> It hasno “userCertificate” in its AD Object Troubleshooting steps Networking No proxy, direct Internet No DENY on our firewall -> Internet available Verified that these URLs are accessible https://enterpriseregistration.windows.net https://login.microsoftonline.com https://device.login.microsoftonline.com https://autologon.microsoftazuread-sso.com Active Directory and Infrastructure Service Connection Point (SCP) is set in the forest and has the tenant name and ID (otherwise no computer would be synced) GPOs are not linked to the OU in which the computers are Local troubleshooting on the VM Scheduled Task for “Workplace Join” is enabled and runs dsregcmd /status EventLog – “Application and Service protocols” -> “Microsoft” -> “Windows” -> “user Device Registration” Two errors, each time the Workplace Join task starts: Sysprep Also tried on the VM a sysprep, rebooted, manually joined it to AD --> Still no userCertificate Tried the same again and deleted also the AD object --> Still no userCertificate Activated TLS 1.2 Enable TLS 1.2 on servers - Configuration Manager | Microsoft Learn -> no affect Articles I read and verified Plan your Microsoft Entra hybrid join deployment - Microsoft Entra ID | Microsoft Learn Configure Hybrid Azure AD Join - Everything you need to know A Mobile Attempt: Azure AD Hybrid Join and the UserCertificate Attribute Troubleshoot Microsoft Entra hybrid joined devices - Microsoft Entra ID | Microsoft Learn My conclusion I guess it has something to do with Server 2019. Why I am saying this: I have tested the same setup with an old, existing Server 2019 template (created “Master VM” -> converted into template -> created VM from this template) --> all VMs have userCertificates in their AD object So I would be glad if someone has ideas about it. Thanks, Chris38Views0likes0CommentsGroup writeback doesn't sync back to Entra
Hi all Can't find documentation on this if this should actually work or not. I enabled group writeback, which works fine. Now if I add a user to one of those groups in local Active Directory and sync the user to Entra, the user isn't a member of the group here. Might be just normal behavior, but would be nice if it did sync.47Views0likes2CommentsGeneral Question About Federation
Hello, We have a federated domain and to my knowledge this means that all authentication for this domain will be send to ADFS and will not be directly handled in Azure Entra ID. Is the following statement correct: When I register an APP in Entra ID the authentication will still be handed off to ADFS. (when my user types in email address removed for privacy reasons. I will first go to microsoft that will then hand it off to ADFS. Will there by any additional config required on the ADFS server for the registered application? If i would like to bypass this federated authentication the only way to do this is change it to a managed domain removing the federation or do a staged rollout as described below Microsoft Entra Connect: Cloud authentication via Staged Rollout - Microsoft Entra ID | Microsoft Learn29Views0likes1CommentDouble entries in userCertificate avoids Hybrid Join
Hey guys, I have an interesting situation at a customer. He utilizes a third party MFA provider while being on a federation. That means new computers never will have a registered state. For users it is mandatory that theirs clients have fulfilled the Hybrid Join to use M365 apps, what can be a real pain. So the Automatic-Device-Join task has to create the userCertificate on the OnPremises computer object, before it can be synchronized to Entra. Here comes the issue. In some cases we see that some computers will create two userCertificate entries. This situation will lead to an inconstistent Hybrid Join. I already tried to remove one of the certificates, but for me it is impossible to recognize which is the right one. Only solution for me was to remove both entries under userCertificate and let the Automatic-Device-Join task create a new one. Afterwards the Hybrid Join will work. I want to understand, which process or scenario might create the double userCertificate entries?210Views0likes1CommentEntra Cloud Sync - Will Creating a New Configuration Sync Immediately With Defaults
Setting up a new Entra Cloud sync agent for a customer who already has an established on-prem AD and Azure AD with a mess of non-synced accounts and passwords between them. So I need to do a slow roll on this thing and filter syncing by OUs in AD. I know I have to create a new configuration in the Azure portal but what are the risks of the default config kicking in and doing a sync of all my users before I have a chance to filter it down to just the OUs I want to sync? Should I disable the on-prem agent before creating a config in the cloud? That "Create" button is giving me anxiety 😐 thanks, DanSolved355Views0likes2CommentsJoinNotFound
I have seen a post on here with the same error but it didn't seem to help me so rather than hijack the thread I'd ask again. More specifically, I don't understand which attribute it's trying to match on and how to set/check that. I get this when doing a provision on demand. "No action required. User '....' is not a newly discovered entry to be provisioned in the target application, nor one with an update that should flow to a target entry with which it was previously matched." Skipreason: JoinNotFound. I'll go through the documents again on Microsoft Learn in case I've missed something but if anyone has any pointers I'd be most grateful. TIA Andrew260Views0likes0CommentsAzure AD Connect - One forest - Two tenants - Same OUs
Hi All, We are looking to add a second Azure AD Connect to our environment to have users synchronized to a new tenant(second tenant different domain). According to Microsoft this is a supported approach, but is it also ok to have the same OUs as part of both syncs? We currently have situations where the same user object may belong to ContosoA and ContosoB or would the users that belong to each tenant need to be part of their own OUs and exclusive to each? Thanks.737Views0likes7CommentsAzure AD-Connect Staging Mode server not kept in sync
I have a test environment where the Staging Mode server was not kept up to date with the Active Azure AD-Connect server. When I export the configs on each and compare the 2, there are some major differences. Is there a way I can just import the config from the Active server and place it on the Staging server so they get back to the same configuration? Alternatively, can I uninstall the staging server then re-install / import the configuration from the Active server?628Views0likes4CommentsEntra Connect Sync duplicated UPN
Hi I had Entra Connect running for a long time without issues. Out of the blue Connect Sync started to reportDuplicate Attribute on 3 usersUser Principal Name. The 3 users, Connect Sync believe has a conflicting value in Entra, do exist in Entra, but with a smtp address which matches the UPN, and isnot the the users UPN. If i run the following command on my on-prem AD the UPN does not exist in any form of domain name: Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"} Get-ADUser -Filter {UserPrincipalName -eq "e-mail@domain.local"} Get-ADUser -Filter {UserPrincipalName -eq "email address removed for privacy reasons"} All my users UPN are different from the configured on-prem ProxyAddresses so the above error mesage makes no sense. And futher more the 3 users which sync sees as a conflict do not even has a ProxyAddresses configured. Any ideas how to futher debug this? /Robert690Views0likes8CommentsHybrid Join Process - Question
Hello all, I'm looking for information regarding Hybrid Join process because it is not clear for me, this is what I have: Entra Connect syncs what I have under the OU I have specified on its configurations. I have joined a new device to on-prem AD, out of that OU, therefore Entra Connect will not sync the device. The device can reach the Microsoft endpoints (Network connectivity requirements accomplished) What happens when Entra Connect does not sync the device but it'striggered the Automatic Device Join task? Will it become hybrid join even without Entra Connect synched it? I have read this: Hybrid join is a process initiated from the device itself and Azure AD. Hybrid Join does not depend on, nor is able to be achieved from Azure AD Connect, though AAD Connect does stage the device in Azure, allowing policies to be more immediately applied and AAD Connect Is this correct? So, when Entra Connect syncs the device the purpose is only to, let's say, provision the device in Entra ID ? If Entra Connect does not sync the device, Hybrid Join will happen no matter what? The process is documented here:How Microsoft Entra device registration works - Microsoft Entra ID | Microsoft Learnbut I still have doubts 😞 Many thanks! Best regards, Ivo Duarte484Views0likes6Comments