Home Cloud M365 AutoPilot – Configuring AzureAD Hybrid Deployment

AutoPilot – Configuring AzureAD Hybrid Deployment

Reading Time: 4 minutes

In this blog post, we will cover the steps required to set up. AzureAD Hybrid Sync, in preparation for moving away from our On-Premise Active Directory Server.
Note: This post takes into account that you already have the AzureAD Sync Tool.

Open the Azure Active Directory Connect App – Select “Configure”

Select “Configure Device Options”

For Hybrid AzureAD Join to work, Your AD Schema needs to be 2012R2 or Higher. For more information, you can check out the Microsoft support documentation [Here]

In Connect to Azure AD, enter the credentials of a global administrator for your Azure AD tenant.

In Device options, select Configure Hybrid Azure AD join, and then select Next.

In Device Operating Systems, select the Windows 10 or later domain-joined devices.

In SCP configuration, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.

  1. Select the Forest.
  2. Select an Authentication Service.
  3. Select Add to enter the enterprise administrator credentials.

In Ready to configure, select Configure.

Hybrid Domain Join Configuration Completed!

Troubleshooting Hyrbid Join Errors

While testing the steps for the blog post I ran into an error as shown below;
For further diagnostics and support check out the docs.microsoft info: [Here]

From a look at the event viewer log files it shows.

On further investigation, the error message relates to the fact the computer is not found the AzureAD Portal. This means that we’ve missed the OU from the AzureAD Directory Sync.

Once the Computer OU has been selected, we can completed an initial sync to AzureAD.

If the sync has been successful you should see a list of computer objects which have been added.

Checking Hybrid Join Status.

From the AzureAD Portal, Under Devices you should see the devices check-in in a “pending” state

From the local machine you can use the command “dsregcmd /status” and get the following result

| Device State                                                         |

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : YES
                DomainName : hypervlab

| Device Details                                                       |

                  DeviceId : 3c849a08-096e-467c-8eab-b8a3b8f200c0
                Thumbprint : 61BBC28FB669FEC1E977FB60ACCCE69DBBAFB0E5
 DeviceCertificateValidity : [ 2020-11-30 20:42:30.000 UTC -- 2030-11-30 21:12:30.000 UTC ]
            KeyContainerId : 46a23cd7-ac22-4b70-82be-beb6eb0f2a14
               KeyProvider : Microsoft Software Key Storage Provider
              TpmProtected : NO

| Tenant Details                                                       |

                TenantName : 
                  TenantId : 
                       Idp : login.windows.net
               AuthCodeUrl : https://login.microsoftonline.com/903c83ca-4b31-4b80-baf4-2adcdbed419f/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/903c83ca-4b31-4b80-baf4-2adcdbed419f/oauth2/token
                    MdmUrl : 
                 MdmTouUrl : 
          MdmComplianceUrl : 
               SettingsUrl : 
            JoinSrvVersion : 1.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/903c83ca-4b31-4b80-baf4-2adcdbed419f/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/903c83ca-4b31-4b80-baf4-2adcdbed419f/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

| User State                                                           |

                    NgcSet : NO
           WorkplaceJoined : NO
             WamDefaultSet : NO

| SSO State                                                            |

                AzureAdPrt : NO
       AzureAdPrtAuthority : 
             EnterprisePrt : NO
    EnterprisePrtAuthority : 

| Diagnostic Data                                                      |

        AadRecoveryEnabled : NO
               KeySignTest : PASSED

| Ngc Prerequisite Check                                               |

            IsDeviceJoined : YES
             IsUserAzureAD : NO
             PolicyEnabled : NO
          PostLogonEnabled : YES
            DeviceEligible : NO
        SessionIsNotRemote : NO
            CertEnrollment : none
              PreReqResult : WillNotProvision

Finally going back to the AzureAD Device Portal we can see that the device has completed the check-in


Please enter your comment!
Please enter your name here