question

VeeraRagavan-5624 avatar image
0 Votes"
VeeraRagavan-5624 asked VeeraRagavan-5624 answered

Automatic MDM Enrollment - Windows 10 Clients - Scenario

Hello Techie's,

Here is the Scenario, I Would like to take help

I have 3 Different Forest/Domain's

Domain 1 - ABC.COM
Domain 2 - XYZ.COM
Domain 3 - 123.COM

Domain 1 - ABC.COM - We have the Azure AD Connect, and Installed with MECM - With Co Management. All Management via Intune
Domain 1 - Azure AD Connect which Collect the Details of AD - All 3 Domains (Domain 1, 2 and 3)

Now, We want Domain 2 and Domain 3 has to be Controlled via Intune
So we have done the following..

XYZ.COM - Users are Assigned with Azure AD P1, Microsoft Intune Licenses
XYZ.COM - Users are Available in the Azure AD, Azure Portal
XYZ.COM - Devices are Available in the Azure AD, Azure Portal
XYZ.COM - Created the GPO, and Assigned the MDM Profile for Enrollment - User Credential

177457-image.png


Out Put, Event ID : 76 - Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)
177458-image.png

We cannot see the MDM URL, MDMTOUURL, MDM Compliance URL while running the DSREGCMD /Status
177516-image.png

From the Intune Side, We do not have any Restrictions. Enrollment

177497-image.png

Also no Restrictions with Device Type - As well.. Devices are Targeted to this Group

177498-image.png

Question:

  1. Is it Really Possible to Manage the Domain 2 (XYZ) Clients via Intune? which the Tenant belongs to Domain 1 (ABC)

Now the Current Status is Device is showing as Hybrid Azure AD Joined, along with Registered and Activity time

177517-image.png

Any Steps from your suggestion, Expertise can help... We need to Manage the Domain 2, Domain 3 Devices has to be Manage via Intune is the Goal


Little more Update from my side

I have mentioned the Domain Name as

XYZ.COM and it is more likely as XYZ.Local

Its Local Domain, and not registered/Purchased any where. Can you refer some link to register this Domain.

In late time, I Found that this Domains are not Registered yet with Azure Portal

mem-intune-generalmem-intune-enrollment
image.png (75.8 KiB)
image.png (451.9 KiB)
image.png (106.0 KiB)
image.png (86.2 KiB)
image.png (89.1 KiB)
image.png (30.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VeeraRagavan-5624 avatar image VeeraRagavan-5624 ·

Additional Comments:

We followed the Approach and Declare the Tenant ID and Tenant Name

https://365bythijs.be/2019/11/02/troubleshooting-hybrid-azure-ad-join/

0 Votes 0 ·

3 Answers

EswarKoneti-MVP avatar image
0 Votes"
EswarKoneti-MVP answered VeeraRagavan-5624 commented

is xyz and 123 domains are routable? check this Microsoft document for more information https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors#auto-mdm-enroll-failed

Thanks,
Eswar
www.eskonr.com

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VeeraRagavan-5624 avatar image VeeraRagavan-5624 ·

Hello Eswar,

My Sincere sorry - Which I Forget to Post this information earlier.

Yes, the XYZ and 123 Domains are Rotatable. We changed it for User Login Name.. From :TestUser1@ABC.COM to TestUser1@XYZ.COM

Following that Successful Azure AD Replication...

But Once again, it makes the same Scenario..
177564-image.png

With Successful User and Device details as Hybrid - Still causing the same issue..

0 Votes 0 ·
image.png (220.7 KiB)
VeeraRagavan-5624 avatar image VeeraRagavan-5624 VeeraRagavan-5624 ·

Hello Experts,

Do you suggest any...Troubleshooting Techniques..

0 Votes 0 ·
VeeraRagavan-5624 avatar image VeeraRagavan-5624 ·

Hello Eswar,

Yes we tried to perform the Routing with the Login from TestUser1@XYZ.COM to TestUser1@ABC.com as well.

In Addition, We also Created Registry Entries to the Work Station for the Enrollment

https://365bythijs.be/2019/11/02/troubleshooting-hybrid-azure-ad-join/

Still it is ending up with same error..

Little trick here, the Domain ABC.COM is Yet to be Registered. We are using ABCon365.onmicrosoft.com as the Tenant Name. Currently the Tenant name is only as "Available" and not as Registered.

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-control#configure-client-side-registry-setting-for-scp

177745-image.png


0 Votes 0 ·
image.png (44.0 KiB)
RahulJ-3048 avatar image
0 Votes"
RahulJ-3048 answered

Syncing multiple domains/forests using single Azure AD connect is going to be tricky. I hope you might have already checked https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies to confirm your scenario is supported even though it's syncing devices as well as users to Azure AD.

Also, MDM Enrollment GP - User authentication can be tricky sometimes - I know Anoop reported a strange issue like this (https://www.anoopcnair.com/intune-enrollment-error-unknown-win32-error/), but I don't think that is the case in your scenario.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VeeraRagavan-5624 avatar image
0 Votes"
VeeraRagavan-5624 answered

Hello All,

I Found the Answer...

After Verifying the Domain, and made the UPN Rout-able to XYZ. Com for all Users with Azure AD P1 License, and Intune helped to On Board the Devices to Intune (Hyrbrid Join with GPO Settings)

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.