I worked on an Azure Active Directory lab for Hybrid Azure AD Join today and ran into a problem. The lab is a new deployment, single Windows Server 2019 Domain Controller running the 2.x version of Azure AD Connect Sync. Express install was used, there are no OU or advanced filters in place. Following the directions outlined in the Microsoft documentation is straightforward. However, after enabling Hybrid Azure AD Join, the computers did not show in the Azure AD Portal under Devices.
Digging through the event log and using dsregcmd /status on the client provided the error:
Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c03f3
Server error: The device object by the given id (xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx) is not found
The most common cause for this is a filter in AD Connect that excludes OU’s or computers. Computer devices need to be included in any filter, or they will not synchronize to Azure AD. Azure AD Connect Sync was configured with an express installation with no filters were in place.
I went to the AD Connect Synchronization Services Manager to review the settings. In the Active Directory Domain Services connector, under Selected Object Types, I noticed that “device” was unchecked. I checked this box and then initiating a synchronization (start-adsyncsynccycle).
Once the sync finished, the devices showed in the Azure AD Portal with the status of Pending. A reboot of the client moved the device to a registered state and allowed the device to be Hybrid Azure AD Joined.
I am curious why I had to check the device box. Azure AD Connect had a default installation with express settings. If that step was required, the agent could have handled it when Hybrid Azure AD join was configured. I could not find any information on why checking “device” was needed when “computer” was already checked.
If you found this article you may be suffering the same issue. I hope this helps!
4 thoughts on “Hybrid Azure AD Join: The device object by the given ID is not found”
Device is not Computer… coincidence perhaps…
Thank you – this actually helped me out; I created a new OU with filtered list of GPOs for Intune enrolled devices, and sure enough forgot to include it on ADConnect.
Glad it helped!
Had the same thing with a WinServer 2016 that didn’t show up in AAD.
Checking “device” and syncing as you described actually did the trick for me as well, but I’m afraid this is just a workaround which didn’t really solve the problem, because when I type “dsregcmd.exe /status” on that device, I see it’s now joined to AAD, but without any PRT like my other devices.