Automatic registration failed at join phase exit code unknown hresult error code 0x801c001d

Event ID 307 and 304 with error code 0x801c001d on Windows 11/10 device

In today’s post, we will identify the cause and then provide possible resolutions to the issue of event ID 307 and event ID 304 with error code 0x801c001d are logged after you deploy Windows 11/10 on a device.

Error code 0x801c001d – Event ID 307 and 304

When you deploy Windows on a device, the following events are logged:

Log Name: Microsoft-Windows-User Device Registration/Admin
Source: User Device Registration
Event ID: 307
Level: Error
Description:
Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042

Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Event ID: 304
Level: Error
Description:
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error: . Debug Output:rn undefined.

You’ll encounter this issue because these event IDs 307 and 304 occur when the Active Directory infrastructure is not prepared for Hybrid join. When the device tries to do Hybrid join, the registration fails, and the events are logged.

Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Configuration Manager or Group Policy (GP) to manage them.

If your environment has an on-premises AD footprint and you also want to benefit from the capabilities provided by Azure Active Directory, you can implement Hybrid Azure AD joined devices. These devices are devices that are joined to your on-premises Active Directory and registered with your Azure Active Directory.

To resolve this issue, Microsoft in a support article points out that these event IDs 307 and 304 can be safely ignored because if the AD infrastructure is in a non-Hybrid join environment, these event IDs are expected during Windows 10 deployment.

However, if you’re experiencing this issue whilst in a Hybrid join environment, refer to this Microsoft document for troubleshooting steps.

Hope this post guides you in the right direction.

Источник

Automatic registration failed at join phase exit code unknown hresult error code 0x801c001d

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

Newly imaged computers with 1607 that after I join the domain my user do not get all of the group policies.

I get this error when trying to run gpresult, INFO: The user does not have RSoP data.

The only error in the system log is the following:

Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error: empty. Debug Output:rn joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0

My domain is 2012 R2

Answers

Try removing all GPO history from the user’s profile by deleting this registry key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistory

Then do a gpupdate and log off and on and see if that sorts it out.

Also, check this similar case below for assistance.

INFO: The user «Domainuser» does not have RSOP data

In addition, I search online for a long time and find out a user meet with the same system log error as you, check this link and notice Kieren’s reply, maybe his troubleshooting thread can give you prompt.

Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Источник

Automatic registration failed at join phase exit code unknown hresult error code 0x801c001d

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

Newly imaged computers with 1607 that after I join the domain my user do not get all of the group policies.

I get this error when trying to run gpresult, INFO: The user does not have RSoP data.

The only error in the system log is the following:

Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error: empty. Debug Output:rn joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0

My domain is 2012 R2

Answers

Try removing all GPO history from the user’s profile by deleting this registry key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistory

Then do a gpupdate and log off and on and see if that sorts it out.

Also, check this similar case below for assistance.

INFO: The user «Domainuser» does not have RSOP data

In addition, I search online for a long time and find out a user meet with the same system log error as you, check this link and notice Kieren’s reply, maybe his troubleshooting thread can give you prompt.

Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Источник

Automatic registration failed at join phase exit code unknown hresult error code 0x801c001d

Вопрос

Newly imaged computers with 1607 that after I join the domain my user do not get all of the group policies.

I get this error when trying to run gpresult, INFO: The user does not have RSoP data.

The only error in the system log is the following:

Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error: empty. Debug Output:rn joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0

My domain is 2012 R2

Ответы

Try removing all GPO history from the user’s profile by deleting this registry key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionGroup PolicyHistory

Then do a gpupdate and log off and on and see if that sorts it out.

Also, check this similar case below for assistance.

INFO: The user «Domainuser» does not have RSOP data

In addition, I search online for a long time and find out a user meet with the same system log error as you, check this link and notice Kieren’s reply, maybe his troubleshooting thread can give you prompt.

Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Источник

Automatic registration failed at join phase exit code unknown hresult error code 0x801c001d

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

Have a 2012 R2 domain and I just did the RS1/14393 update last night. Several users with roaming profiles are now experiencing login errors. When they login, they get a blue error message saying «Couldn’t login to your account» and gives the option to dismiss or sign out. Restarts of the server and workstations have not resolved this. I’ve deleted local cached copies of the user profile without resolution. Only thing I can find in the event logs is under Applications and Services LogsMicrosoftWindowsUser Device Registration. I’m seeing Error 304 and 307. I also deleted the server side profiles for the user and let it recreate it on next login. I noticed that there is a new v6 profile for 14393 logins.

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042

Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error: empty. Debug Output:rn joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog: undefined
adalLog: undefined
adalResponseCode: 0x0
.

Thanks for your post.

Yes, Windows 10 Anniversary Update uses a .v6 extension to distinguish itself from other operating system versions of the profile. This allows your roaming or mandatory profile to operate on different operating systems without conflicts.

Roaming user profiles in Windows 10 Anniversary Update are incompatible with roaming user profiles in earlier versions of Windows. This behavior is by design and was implemented because of the incompatibilities between profile versions.

Deploy Roaming User Profiles

Regarding the issue, does the problematic user account have permissions on the roaming profile folder?

Please grant Everyone Full Control on the parent folder of roaming profiles.

Please make sure that the users profile folder has the ‘v6’ extension.

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

The users have full permissions on their profile folders and all authenticated users have read permissions on the parent folders. This issue is present across most (but not all) users with roaming profiles. I have begun rolling back the RS1 update as my customers cannot function like this. Can you direct me other logs I should be checking?

And I did apply the new CU updates today and they did not resolve the problem.

Please run rsop.msc and check if the user is receiving proper policies.

Besides, try to rename profile on local pc as and deleted registry in profilelist to clear any issues with any cache files.

Troubleshoot User Profiles with Events

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Thanks for your reply.

Based on the complexity and the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.

Sorry for the inconvenience and thank you for your understanding and patience.

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Sorry for the delayed response.

First, please perform the diagnostic tests with the following article:

User Profile Does Not Roam

Besides, you could try to change a roaming profiles storage location to have a test if convenient.

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Same problem here. Any solution?

Just want to confirm the current situations.

If you resolved it using our solution, please «mark it as answer» to help other community members find the helpful reply quickly.

If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

If no, please reply and tell us the current situation in order to provide further help.

Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Having the same issue here. Freshly joined Windows 10 Pro 1607 updated laptop. Disabled folder redirection/roaming profiles with no change. Even created a new user account at the root of the domain so it has no group policies assigned with no change. Un-joined and re-joined the laptop with no change.

Windows Server 2008 R2 domain here.

The issue is: The anniversary update increments the roaming profile to .v6, and the folder is created when you try to login, but no files are written to it. Currently no article confirmed this behavior, also no fix.

Try to copy the .v5 folder to .v6 or wait for the next update release.

Thanks for your understanding.

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

i’ve same error! domain is Windows 2012 and after update client to win10 1607 i receive this error on all client. But I don’t use roaming profile.

Is a Microsoft bug?

Users are getting errors 304 and 307. They are also getting a Group Policy error 1129. They are able to logon to the domain without any apparent issues. They are logging into a Server 2012 R2 server with Essentials Experience with the latest essentials connector installed. The issue only effects machines that have the Windows 10 anniversary update. All updates completed to build 14393.187

Very annoying problem trying to create folders on any company share. Since they are running with Essentials connector, their folders are being redirected to the server, which means the folder creation issue occurs even on their own desktop. Most issues are related to lack of network connectivity.

• open shared folders
• open any share
• right click — new — folder
• refresh folder
• right click — rename folder — Test 1
• system basucally freezes up — no other tasks can be performed for about 30 seconds
• pop up error 0x8007003B: An unexpected network error has occurred
• Choices are «Try Again» and «Cancel»
• click «try again» — pop up «Item not found»
• click cancel — refresh — the renamed folder appears correct
• if you try to delete that folder right away — it takes about 50 seconds for it to delete
• if you wait several minutes and try to delete it seems to get deleted as expected

The only related issues I can find on the server may be an Active directory certificate authority error 53. «The permissions on the certificate template do not allow the currect user to enroll for this type of certificate 0x80094012. Denied by policy Module.»

Источник

Skip to content

Сбой автоматической регистрации на этапе присоединения код завершения unknown hresult error

Добрый день! Уважаемые читатели и гости одного из крупнейших IT блогов в рунете по системному администрированию Pyatilistnik.org. В прошлый раз мы с вами рассмотрели вопрос, как устраняется ошибка с кодом 28 при подключении оборудования в Windows. Идем далее и сегодня я хочу вам показать новую ошибку с которой я столкнулся на RDS ферме буквально на днях, звучит она так «Не удается повторно подключиться к удаленному сеансу» или в английском варианте «Failed to reconnect to your remote session».

Описание ситуации

У меня есть RDS ферма на базе Windows Server 2019, построенная на виртуальных машинах ESXI. Я начал производить базовое обслуживание серверов, обновление VMware Tools, обновление Hardware Version и конечно же сами пакеты обновления Windows. После включения виртуальной машины и попытке подключиться к ней, чтобы проверить все ли корректно работает я получаю ошибку:

После этого если нажать кнопку «Ok» вас просто выкидывает из данного сеанса и при повторной попытке вы будите наблюдать долгую попытку прорваться.

Решение ошибки «Не удается повторно подключиться к удаленному сеансу»

Начав свое исследование я попытался подключиться через «Console» в интерфейсе vCenter, но там было два пути развития:

1. У меня вообще не нажималось сочетание клавиш CTRL+ALT+DELETE, просто не реагировала
2. Второе, это после ввода логина и пароля я получал вот такое окно, которое не пропадало, на тот момент я ожидал в среднем 2-4 минуты

Далее я попытался подключиться через Windows Admin Center к данному серверу и посмотреть логи Windows, там было несколько предупреждений и пара ошибок с ID 10016.

Данные ошибки, как оказалось не мешали входу, и тут я начал копать дальше. Меня привлекло предупреждение в самом vCenter, что данная виртуальная машина стала потреблять много CPU. Так как попасть на нее не удавалось, я решил удаленно посмотреть все процессы в системе и определить, какой именно из них выедал ресурсы.

В результате я увидел, что антивирус Касперского (Kaspersky Anti-Virus worker process) выедал весь процессор.

Источник

Идентификаторы события 307 и 304 с кодом ошибки 0x801c001d на устройстве Windows 10

В сегодняшнем посте мы определим причину, а затем предоставим возможные решения проблемы с идентификатором события 307 и идентификатором события 304 с кодом ошибки 0x801c001d, которые регистрируются после развертывания Windows 10 на устройстве.

Код ошибки 0x801c001d — события с кодами 307 и 304

При развертывании Windows на устройстве регистрируются следующие события:

Имя журнала: Microsoft-Windows-User Device Registration / Admin
Источник: Регистрация устройства пользователя
ID события: 307
Уровень: Ошибка
Описание:
Ошибка автоматической регистрации. Не удалось найти информацию о службе регистрации в Active Directory. Код выхода: Неизвестный код ошибки HResult: 0x801c001d. См. Http://go.microsoft.com/fwlink/?LinkId=623042.

Программы для Windows, мобильные приложения, игры — ВСЁ БЕСПЛАТНО, в нашем закрытом телеграмм канале — Подписывайтесь:)

Имя журнала: Microsoft-Windows-User Device Registration / Admin
Источник: Microsoft-Windows-User Device Registration
ID события: 304
Уровень: Ошибка
Описание:
Ошибка автоматической регистрации на этапе присоединения. Код выхода: Неизвестный код ошибки HResult: 0x801c001d. Ошибка сервера: . Вывод отладки: r n undefined.

Вы столкнетесь с этой проблемой, потому что эти коды событий 307 и 304 возникают, когда инфраструктура Active Directory не подготовлена ​​для Гибридное соединение. Когда устройство пытается выполнить гибридное присоединение, регистрация не выполняется, и события регистрируются.

Как правило, организации с локальным охватом полагаются на методы создания образов для подготовки устройств и часто используют Configuration Manager или групповую политику (GP) для управления ими.

Если в вашей среде есть локальный след AD, и вы также хотите воспользоваться возможностями, предоставляемыми Лазурь Active Directory, вы можете реализовать гибридные устройства, присоединенные к Azure AD. Эти устройства являются устройствами, которые подключены к вашей локальной службе Active Directory и зарегистрированы в Azure Active Directory.

Чтобы решить эту проблему, Microsoft в статье поддержки указывает, что эти идентификаторы событий 307 и 304 можно безопасно игнорировать, потому что, если инфраструктура AD находится в среде негибридного соединения, эти идентификаторы событий ожидаются во время Развертывание Windows 10.

Однако, если вы столкнулись с этой проблемой в среде гибридного присоединения, обратитесь к этому Документ Microsoft для шагов по устранению неполадок.

Надеюсь, этот пост направит вас в правильном направлении.

.

Программы для Windows, мобильные приложения, игры — ВСЁ БЕСПЛАТНО, в нашем закрытом телеграмм канале — Подписывайтесь:)

Источник

Идентификаторы события 307 и 304 с кодом ошибки 0x801c001d на устройстве Windows 10

В сегодняшнем посте мы определим причину, а затем предложим возможные решения проблемы событие ID 307 и событие ID 304 с кодом ошибки 0x801c001d регистрируются после развертывания Windows 10 на устройстве.

Код ошибки 0x801c001d — Идентификаторы события 307 и 304

При развертывании Windows на устройстве регистрируются следующие события:

Имя журнала: Microsoft-Windows-User Device Registration / Admin
Источник: Регистрация устройства пользователя
ID события: 307
Уровень: Ошибка
Описание:
Ошибка автоматической регистрации. Не удалось найти информацию о службе регистрации в Active Directory. Код выхода: Неизвестный код ошибки HResult: 0x801c001d. См. Http://go.microsoft.com/fwlink/?LinkId=623042.

Имя журнала: Microsoft-Windows-User Device Registration / Admin
Источник: Microsoft-Windows-User Device Registration
ID события: 304
Уровень: Ошибка
Описание:
Ошибка автоматической регистрации на этапе присоединения. Код выхода: Неизвестный код ошибки HResult: 0x801c001d. Ошибка сервера: . Вывод отладки: r n undefined.

Вы столкнетесь с этой проблемой, потому что эти коды событий 307 и 304 возникают, когда инфраструктура Active Directory не подготовлена ​​для Гибридное соединение. Когда устройство пытается выполнить гибридное присоединение, регистрация не выполняется, и события регистрируются.

Как правило, организации с локальным следом полагаются на методы создания образов для подготовки устройств, и они часто используют Диспетчер конфигурации или же Групповая политика (GP) управлять ими.

Если в вашей среде есть локальный след AD, и вы также хотите воспользоваться возможностями, предоставляемыми Лазурь Active Directory, вы можете реализовать гибридные присоединенные к Azure AD устройства. Эти устройства являются устройствами, которые подключены к вашей локальной службе Active Directory и зарегистрированы в Azure Active Directory.

Чтобы решить эту проблему, Microsoft в статье поддержки указывает, что эти идентификаторы событий 307 и 304 можно безопасно игнорировать, потому что, если инфраструктура AD находится в негибридное соединение среды, эти идентификаторы событий ожидаются во время Развертывание Windows 10.

Однако, если вы столкнулись с этой проблемой в среде гибридного присоединения, обратитесь к этому Документ Microsoft для шагов по устранению неполадок.

Надеюсь, этот пост направит вас в правильном направлении.

Источник

Error code 0x801c001d: Automatic registration failed, failed to look up the registration service information from Active Directory with exit code unknown HResult

Microsoft’s identity solutions span across on-premises and cloud-based capabilities. These solutions create a common user identity for authentication and authorization to all resources, regardless of location. This is referred to as a “hybrid identity”. Therefore, Hybrid identity is having a common user identity for authentication and authorization both on-premises and in the cloud. Kindly see the following guides on Pass-Through Authentication: AD Connect Tool status displays inactive, “Pass-Through Authentication sign-in issue, non-routable domain, Invalid username and password for Single Sign-On, and Azure Active Directory integration with on-Premise AD using PTA, and VM environment setup on Hyper-V for Windows Server Active Directory, Azure Active Directory Integration,

To achieve a hybrid identity with Azure AD, one of three authentication methods can be used, depending on your scenarios. The three methods are:

• Password hash synchronization (PHS)
• Pass-through authentication (PTA)
• Federation (AD FS)

When prompted with the following error as shown in the figure below “Automatic registration failed. Failed to look up the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See the following link.

This error occurs when the infrastructure is not prepared for Hybrid join. When the device tries to do a Hybrid join, the registration fails, and the events are logged.

• Therefore, the Automatic Device Join runs as a scheduled task whenever someone logs into a server. This can cause a lot of event errors as shown below.

Screenshot 2020 07 25 at 15.20.13

Here is my suggestion:

Basically, if the infrastructure is in a non-Hybrid join environment, these event IDs are expected during Windows 10 deployment. They can be ignored! So they are therefore ignored by me. 🙂 If you have a Hybrid environment and you wish to fix this issue, kindly visit this article “troubleshooting hybrid Azure Active Directory joined devices“.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Источник

Event ID 307 and 304 with error code 0x801c001d on Windows 11/10 device

In today’s post, we will identify the cause and then provide possible resolutions to the issue of event ID 307 and event ID 304 with error code 0x801c001d are logged after you deploy Windows 11/10 on a device.

Error code 0x801c001d – Event ID 307 and 304

When you deploy Windows on a device, the following events are logged:

Log Name: Microsoft-Windows-User Device Registration/Admin
Source: User Device Registration
Event ID: 307
Level: Error
Description:
Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042

Log Name: Microsoft-Windows-User Device Registration/Admin
Source: Microsoft-Windows-User Device Registration
Event ID: 304
Level: Error
Description:
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error: . Debug Output:rn undefined.

You’ll encounter this issue because these event IDs 307 and 304 occur when the Active Directory infrastructure is not prepared for Hybrid join. When the device tries to do Hybrid join, the registration fails, and the events are logged.

Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Configuration Manager or Group Policy (GP) to manage them.

If your environment has an on-premises AD footprint and you also want to benefit from the capabilities provided by Azure Active Directory, you can implement Hybrid Azure AD joined devices. These devices are devices that are joined to your on-premises Active Directory and registered with your Azure Active Directory.

To resolve this issue, Microsoft in a support article points out that these event IDs 307 and 304 can be safely ignored because if the AD infrastructure is in a non-Hybrid join environment, these event IDs are expected during Windows 10 deployment.

However, if you’re experiencing this issue whilst in a Hybrid join environment, refer to this Microsoft document for troubleshooting steps.

Hope this post guides you in the right direction.

Источник

• #1

Добрый день, заметил в логах windows server 2019 ошибки с кодами 304 и 307, источник события User Device Registration.

Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c001d
Server error:
Tenant type: undefined
Registration type: undefined
Debug Output:
joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0

и вторая ошибка

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d.
Регистрация сервера {4991D34B-80A1-4291-83B6-3328366B9097} DCOM не выполнена за отведенное время ожидания.

Подскажите из-зи чего ошибки ?? С виду все работает

• #2

Еще подозрительные предупреждения обнаружил

Поставщик DMWmiBridgeProv1 зарегистрирован в пространстве имен rootcimv2mdmdmmap инструментария управления Windows и будет использовать учетную запись LocalSystem. Она обладает повышенными привилегиями, поэтому, если поставщик некорректно олицетворяет запросы пользователей, безопасность может оказаться под угрозой.
——
Служба «Update Orchestrator Service» завершена из-за ошибки
Возврат из операции произошел из-за превышения времени ожидания.

• #3

Руководство по Настройке гибридного присоединения к Azure Active Directory для федеративных доменов
Эти коды событий возникают, когда инфраструктура не готова к гибридному соединению. Когда устройство пытается выполнить гибридное соединение, регистрация завершается неудачно, и события регистрируются.

• #4

я понял, короче это норма. А по другой ошибке подскажете ?

So I’ve posted about this before but never figured out what was the cause.

I’m running a 2016 standard server with about 20 workstations, nothing is virtualized.

I have this random gremlin connection issue with my network, its totally random which drives me nuts.  Basically, client machines sometimes struggle to contact the server/dc, sometimes on boot there are events in the logs which suggest clients struggling to contact DC on boot and take a long time to login because of it, group policies wont deploy on boot etc. either.

Anyway, the reason im making this post today is because im trying to add a new workstation to the domain in Windows 10.  It asks me whats the domain name, i enter it and there is a 50% chance it will say it didnt find the domain, 50% chance it will say enter credentials of someone authorized to contact the domain, and when I do enter the details it says the domain doesnt exist lol.  So it just spoke to the domain controller, asked client for login details and then denied it ever talked to it in the first place… i just dont get it.  I tried it about 10 times, eventually it let me join the domain but this is the «weirdness» im experiencing.

Error i get is «The machine xxxx attempted to join the domain xxxx but failed. The error code was 1355»

I’m 90% sure this is DNS related, a setting somewhere or something wrong…

Not sure if its related but when I do this…

——

ping -a eblsvr

Pinging EBLSVR.ebldomain.local [::1] with 32 bytes of data:
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms
Reply from ::1: time<1ms

Ping statistics for ::1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Not
sure why the reverse host name is displaying » ::1:» cant find reference to this
anywhere in DNS, it should display 192.168.0.5, any ideas?

Could this be the cause of my issues?

Anyway here are a list of event log errors i see a lot on random client machines, not everytime they boot just sometimes…

———
Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. The device must be connected to a network with connectivity to an Active Directory domain controller.
———
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error: empty. Debug Output:rn joinMode: Join
drsInstance: undefined
registrationType: undefined
tenantType: undefined
tenantId: undefined
configLocation: undefined
errorPhase: discover
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0
.
—————
Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042 Opens a new window
—————
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
—————-
Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. The device must be connected to a network with connectivity to an Active Directory domain controller.
———-
SCEP Certificate enrollment for EBLDOMAINMICHELLEX2$ via https://IFX-KeyId-97e5d1cd8b0497c04b4655a869c8f30efa89388d.microsoftaik.azure.net/templates/Aik/scep Opens a new window failed:

SubmitDone
Submit(Request): Bad Request
{«Message»:»No valid TPM EK/Platform cerificate provided in the TPM identity request message.»}
HTTP/1.1 400 Bad Request
Cache-Control: no-cache
Date: Wed, 05 Sep 2018 11:44:21 GMT
Pragma: no-cache
Content-Length: 95
Content-Type: application/json; charset=utf-8
Expires: -1
x-ms-request-id: cd8bc0df-afe6-42a6-b518-146a36e6a97e
Strict-Transport-Security: max-age=31536000;includeSubDomains
X-Content-Type-Options: nosniff

Method: POST(6140ms)
Stage: SubmitDone
Bad request (400). 0x80190190 (-2145844848 HTTP_E_STATUS_BAD_REQUEST)
———

The
Group Policy Client Side Extension Folder Redirection was unable to apply one
or more settings because the changes must be processed before system startup or
user logon. The system will wait for Group Policy processing to finish
completely before the next startup or logon for this user, and this may result
in slow startup and boot performance.

——— 

Folder
redirection policy application has been delayed until the next logon because
the group policy logon optimization is in effect.

———

Group
Policy was unable to add per computer connection \EBLSVRKONICA
MINOLTA Bizhub 554. Error code 0x5. This can occur if the name of the printer
connection is incorrect, or if the print spooler cannot contact the print
server.

————

The
processing of Group Policy failed. Windows could not obtain the name of a
domain controller. This could be caused by a name resolution failure. Verify
your Domain Name System (DNS) is configured and working correctly.

——-

This computer was not able to set up a secure
session with a domain controller in domain EBLDOMAIN due to the following:

There are currently no logon servers
available to service the logon request.

This may lead to authentication problems.
Make sure that this computer is connected to the network. If the problem
persists, please contact your domain administrator.

ADDITIONAL INFO

If
this computer is a domain controller for the specified domain, it sets up the
secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain
controller in the specified domain.

 ——-

 Automatic registration failed at join
phase. Exit code: Unknown HResult Error code: 0x801c001d. Server error:
empty. Debug Output:rn joinMode: Join

drsInstance: undefined

registrationType: undefined

tenantType: undefined

tenantId: undefined

configLocation: undefined

errorPhase: discover

adalCorrelationId: undefined

adalLog:

undefined

adalResponseCode: 0x0

.

 ————————-

 Automatic
registration failed. Failed to lookup the registration service information from
Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042 Opens a new window

 ——————

 Windows Hello for Business provisioning will not be
launched.

Device is AAD joined ( AADJ or DJ++ ): Not Tested

User has logged on with AAD credentials: No

Windows Hello for Business policy is enabled: Not Tested

Windows Hello for Business post-logon provisioning is
enabled: Not Tested

Local computer meets Windows hello for business hardware
requirements: Not Tested

User is not connected to the machine via Remote Desktop: Yes

User certificate for on premise auth policy is enabled: Not
Tested

Machine is governed by none policy.

See https://go.microsoft.com/fwlink/?linkid=832647 Opens a new window
for more details.

 —————

 ISAgent
1.0.1.620: Unexpected error: The remote server returned an error: (404) Not
Found.

 ———————

Dont know if all these errors are related but had this problem for about 6 months now on and off.

Any help is appreciated, thanks.

Like a user in your organization, a device is a core identity you want to protect. You can use a device’s identity to protect your resources at any time and from any location. You can accomplish this goal by managing device identities in Azure AD. Use one of the following methods:

• Azure AD join
• Hybrid Azure AD join
• Azure AD registration

The differences between them will be described in the following article from Microsoft under the Concepts menu point.

Azure AD device identity documentation
https://learn.microsoft.com/en-us/azure/active-directory/devices/

Bringing your devices to Azure AD maximizes user productivity through single sign-on (SSO) across your cloud and on-premises resources. You can secure access to your cloud and on-premises resources with Conditional Access at the same time.

You can deploy a managed environment by using password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on. These scenarios don’t require you to configure a federation server for authentication.

Source: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains

In this post I want to configure Hybrid Azure AD join.

Configure Hybrid Azure AD join

To configure Hybrid Azure AD join we can also use the Azure AD Connect tool.

First we need to be sure, that besides our synced users also the computer objects will be synced to Azure AD.

So click on Customize synchronization options

Be sure to check all OUs where you store your computer objects which should be used for Hybrid Azure AD join and therefore must be synced to Azure AD.

For the actual configuration of Hybrid Azure AD join we need to select Configure device options

Select Configure Hybrid Azure AD join

I will only have Windows 10 clients in my environment.

Beginning with version 1.1.819.0, Azure AD Connect includes a wizard to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The wizard configures the service connection points (SCPs) for device registration to discover your Azure AD tenant information.

• Select the forest.
• Select the authentication service. You must select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync, or your organization uses seamless SSO.
• Select Add to enter the enterprise administrator credentials.

After the configuration you can check the SCP as follows.

Open ADSIEDIT.MSC and open the Configuration Naming Context.

Configuration -> Services -> Device Registration Configuration

Under keywords the Azure AD domain is listed to what windows 10 will connect for device registration.

To successfully complete hybrid Azure AD join of your Windows downlevel devices and to avoid certificate prompts when devices authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URLs to the local intranet zone in Internet Explorer:

• https://device.login.microsoftonline.com
• Your organization’s STS (For federated domains)
• https://autologon.microsoftazuread-sso.com (For seamless SSO)

You also must enable Allow updates to status bar via script in the user’s local intranet zone.

Group policy option – Detailed steps
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#group-policy-option—detailed-steps

Verify the registration by using dsregcmd

dsregcmd /status

AzureAdJoined : YES
This field indicates whether the device is joined. The value will be YES if the device is either an Azure AD joined device or a hybrid Azure AD joined device. If the value is NO, the join to Azure AD has not completed yet.

WorkplaceJoined : NO
This field indicates whether the device is registered with Azure AD as a personal device (marked as Workplace Joined). This value should be NO for a domain-joined computer that is also hybrid Azure AD joined. If the value is YES, a work or school account was added prior to the completion of the hybrid Azure AD join. In this case, the account is ignored when using Windows 10 version 1607 or later.

EnterpriseJoined : NO
If the device is Joined to an on-premises Device Registration Service (DRS). A device cannot be both EnterpriseJoined and AzureAdJoined. The Device Registration Service (DRS) is a new Windows service that is included with the Active Directory Federation Service (AD FS) Role on Windows Server 2012 R2. The DRS must be installed and configured on all of the federation servers in your AD FS farm. For information on deploying DRS, see Configure a federation server with Device Registration Service.

DomainJoined : YES
This field indicates whether the device is joined to an on-premises Active Directory or not. If the value is NO, the device cannot perform a hybrid Azure AD join.EnterpriseJoined

The revealed prt token from mimikatz.

Windows Task – Automatic-Device-Join

The task Automatic-Device-Join below is by default disabled for standalone windows 10 computers and will be enabled after domain join. Also after leaving domain it will be disabled again.

After the first successful run of this task, the computer will be Hybrid Azure AD joined and the second Task Device-Sync will be enabled. Device-Sync will synchronize device attributes with Azure AD.

Task Scheduler -> Microsoft -> Windows -> Workplace Join

In Azure Active Directory under Devices, you will see the synced computers from on-premises with the Join type Hybrid Azure AD join, also every computer with Azure AD registered and Azure AD joined.

Hybrid Azure AD joined computers in state Pending as below, means that the device has been synchronized from on-premises to Azure AD, and is waiting to complete the registration from the client. Therefore the Automatic-Device-Join task on the client first needs to run to complete the registration as mentioned above.

If you are using System Center Configuration Manager (SCCM) in your network, you may also know the Client Settings Automatically register new Windows 10 domain joined devices with Azure Active.

This behavior is also the default in Windows 10, version 1709.
https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-azure#configure-client-settings

Users must be able to join devices to Azure AD, so switch to All or Selected and add the users who should be able to join.

Regarding System Center Configuration Manger (SCCM) and co-management with Microsoft Intune, please read my following post.

Re-register a Windows 10 device for Hybrid Azure AD join

First we need to remove the existing registration to Azure AD from the device as follow.

dsregcmd /leave
dsregcmd /debug /leave
Will display debug messages in addition

Also remove the following two certificates from the computer accounts personal store.

Sign out and sign in to trigger the scheduled task that registers the device again with Azure AD or execute the task by hand as follows:

Go to Task Scheduler > Microsoft > Windows > Workplace Join

Run the Automatic-Device-Join task

For Windows 10 Version 1607 and later Hybrid Azure AD join is invoked by a scheduled task which is by default created.

The task Automatic-Device-Join is by default disabled for standalone windows 10 computers and will be enabled after domain join.

By default will be triggered at every logon and every hour for on-premises domain joined devices.

Check that the two certificates was re-created.

Check again with dsregcmd /status if the device re-registered successfully.

Handling devices with Azure AD registered state

If your Windows 10 domain joined devices are Azure AD registered to your tenant, it could lead to a dual state of Hybrid Azure AD joined and Azure AD registered device. We recommend upgrading to Windows 10 1803 (with KB4489894 applied) or above to automatically address this scenario. In pre-1803 releases, you will need to remove the Azure AD registered state manually before enabling Hybrid Azure AD join. In 1803 and above releases, the following changes have been made to avoid this dual state:

• Any existing Azure AD registered state for a user would be automatically removed after the device is Hybrid Azure AD joined and the same user logs in. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device. If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. In addition to removing the Azure AD registered state, Windows 10 will also unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.
• Azure AD registered state on any local accounts on the device is not impacted by this change. It is only applicable to domain accounts. So Azure AD registered state on local accounts is not removed automatically even after user logon, since the user is not a domain user.
• You can prevent your domain joined device from being Azure AD registered by adding the following registry value to HKLMSOFTWAREPoliciesMicrosoftWindowsWorkplaceJoin: “BlockAADWorkplaceJoin”=dword:00000001.
• In Windows 10 1803, if you have Windows Hello for Business configured, the user needs to re-setup Windows Hello for Business after the dual state clean up.This issue has been addressed with KB4512509

Source: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

MS-Organization-Access and MS-Organization-P2P-Access Certificate

Both certificates will be populated by the User Device Registration Scheduled Task on the workstation.

The MS-Organization-P2P-Access certificates are issued by Azure AD to both, Azure AD joined and hybrid Azure AD joined devices. These certificates are used to enable trust between devices in the same tenant for remote desktop scenarios. One certificate is issued to the device and another is issued to the user. The device certificate is present in Local ComputerPersonalCertificates and is valid for one day. This certificate is renewed (by issuing a new certificate) if the device is still active in Azure AD. The user certificate is present in Current UserPersonalCertificates and this certificate is also valid for one day, but it is issued on-demand when a user attempts a remote desktop session to another Azure AD joined device. It is not renewed on expiry. Both these certificates are issued using the MS-Organization-P2P-Access certificate present in the Local ComputerAAD Token IssuerCertificates. This certificate is issued by Azure AD during device registration.

Source: https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#what-are-the-ms-organization-p2p-access-certificates-present-on-our-windows-10-devices

The following service principal below will be automatically registered after a windows device has been successfully joined to Azure AD. (Azure AD joined and hybrid Azure AD joined devices)

Using this principal, Windows devices that are Azure AD joined will provision device certificates in their computer store with a name matching “MS-Organization-P2P-Access” that enables RDP using Azure AD credentials. Via PKI, these certificates trust the tenant root certificate that is registered on the “P2P Server” service principal in Azure AD.

Source: https://www.jasonfritts.me/tag/ms-organization-p2p-access/

Troubleshooting

The first tool to check if you encounter some issues regarding Hybrid Azure AD join is the command line tool dsregcmd.

Yo can check the status with

dsregcmd /status

Here I can saw that something went wrong and the computer wasn’t joined to Azure AD.

Therefore I checked the windows logs for the User Device Registration.

Event Viewer -> Microsoft -> Windows -> User Device Registration

Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c001d
errorPhase: discover
Source: User Device Registration
Event ID: 304
User: SYSTEM

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d.

The reason for is, that in my lab environment, I will first need to configure Hybrid Azure AD join, which will create a Service Connection Point (SCP), which the devices needs to discover the Azure AD tenant information.

Beginning with version 1.1.819.0, Azure AD Connect includes a wizard that you can use to configure hybrid Azure AD join. The wizard significantly simplifies the configuration process. The related wizard:

• Configures the service connection points (SCPs) for device registration
• Backs up your existing Azure AD relying party trust

Links

Troubleshooting devices using the dsregcmd command
https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd

Обновлено 03.06.2021

Добрый день! Уважаемые читатели и гости одного из крупнейших IT блогов в рунете по системному администрированию Pyatilistnik.org. В прошлый раз мы с вами рассмотрели вопрос, как устраняется ошибка с кодом 28 при подключении оборудования в Windows. Идем далее и сегодня я хочу вам показать новую ошибку с которой я столкнулся на RDS ферме буквально на днях, звучит она так «Не удается повторно подключиться к удаленному сеансу» или в английском варианте «Failed to reconnect to your remote session».

Описание ситуации

У меня есть RDS ферма на базе Windows Server 2019, построенная на виртуальных машинах ESXI. Я начал производить базовое обслуживание серверов, обновление VMware Tools, обновление Hardware Version и конечно же сами пакеты обновления Windows. После включения виртуальной машины и попытке подключиться к ней, чтобы проверить все ли корректно работает я получаю ошибку:

После этого если нажать кнопку «Ok» вас просто выкидывает из данного сеанса и при повторной попытке вы будите наблюдать долгую попытку прорваться.

Решение ошибки «Не удается повторно подключиться к удаленному сеансу»

Начав свое исследование я попытался подключиться через «Console» в интерфейсе vCenter, но там было два пути развития:

1. У меня вообще не нажималось сочетание клавиш CTRL+ALT+DELETE, просто не реагировала
2. Второе, это после ввода логина и пароля я получал вот такое окно, которое не пропадало, на тот момент я ожидал в среднем 2-4 минуты

Далее я попытался подключиться через Windows Admin Center к данному серверу и посмотреть логи Windows, там было несколько предупреждений и пара ошибок с ID 10016.

Данные ошибки, как оказалось не мешали входу, и тут я начал копать дальше. Меня привлекло предупреждение в самом vCenter, что данная виртуальная машина стала потреблять много CPU. Так как попасть на нее не удавалось, я решил удаленно посмотреть все процессы в системе и определить, какой именно из них выедал ресурсы.

В результате я увидел, что антивирус Касперского (Kaspersky Anti-Virus worker process) выедал весь процессор.

Пробуем дождаться, когда антивирус, что-то до сканирует, у меня это заняло минут 10, после чего я спокойно подключился по удаленному рабочему столу. Так же если у вас Касперский управляется через сервер, то выключите его на время. Если и через 10 минут не получается войти, то я советую вам произвести принудительную перезагрузку (hard reset), возможно у вас какие-то обновления еще не до установились. Надеюсь, что вы так же найдете свою причину данной ошибки, не забывайте поделиться в комментариях своим решением. С вами был Иван Семин, автор и создатель IT портала Pyatilistnik.org.