During the Autopilot deployment process for hybrid Entra join scenario, the process failed with the error “80070002” after the user entered their credential and wait for 25 minutes .
In this post we will go though the troubleshooting step performed to identify and address the issue
Please check posts related to Autopilot hybrid scenario flow here so you understand very well how Autopilot with hybrid entra join scenario works
Table of Contents
The problem: Autopilot Hybrid Join ODJ Failed With Error 8007002
The user is trying to provision his device using Autopilot hybrid entra join scenario
the user power-on the device, select region and keyboard, then he got the branding page and entered his credential succesfully
After the user complete the authentication with Entra successfully, the process stuck on this page
And then it failed after 25 minutes with the following error “80070002”
Troubleshooting: Autopilot Hybrid Join ODJ Failed With Error 8007002
For any Autopilot issue make sure to always map it to the flow in order to understand what can be the cause of the issue
we have explained the flow for this scenario on this post Autopilot Hybrid Join Troubleshooting Series – Offline Domain Join
Step1: Let’s confirm that the device is enrolled
From the CAB file Checking the event viewer “Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin” for event “72”
Step 2: The device begin waiting for the (Offline Domain Join) blob
On the same event viewer log to check event “111” which should happened just after the enrollment
After this event the device will wait for 25 mins to receive the blob, once delivered will trigger event ID “107” on the same logs file
searching for the event “107”, couldn’t find it on the log, but I can find event ID “100”, which indicate that the device failed to get the blob
Next step will be to check the server-side logs it is failed to generate the blob and send it to the device
Step3: Intune Connector for Active Directory downloads the ODJ blob request
First lets check the status of the connector from the portal, I noticed that we have two connectors “ODJ1, ODJ2” and both with status active and recent sync time
So, we have to check the logs for both connectors to confirm which one received he request
Checking connector admin event viewer log for event 30120, searching with Intune device ID,
Event Viewer > Application and Services Logs > Microsoft > Intune > ODJConnectorService. Select Microsoft-Intune-ODJConnectorService/Admin
I found the request received by connector “ODJ2”
Step4: Intune Connector for Active Directory requests and receives an ODJ blob from a Domain Controller
Checking connector operational event viewer log for event 30130, searching with Intune device ID
Event Viewer > Application and Services Logs > Microsoft > Intune > ODJConnectorService. Select Microsoft-Intune-ODJConnectorService/operational
Could not find the successfull event, but I can find event “30132” which indicate an error to create the computer account on the specified organizational unit and so failed to generate the blob
We are unable to complete your request because a server-side error occurred. Please try again.”] [Exception Message: “Failed to call NetProvisionComputerAccount
next action is to check the “Netsetup” log, I can see the following errors in the log
NetpModifyComputerObjectInDs: ldap_add_s failed: 0x35 0x216d
NetpCreateComputerObjectInDs: NetpModifyComputerObjectInDs failed: 0x216d
NetpProvisionComputerAccount: LDAP creation failed: 0x216d
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0x216d.
NetProvisionComputerAccount: status: 0x216d
It is an indication that the device object is not created on the OU specified in the domain join profile
Googling the error code “0x216d”, found the following doc
The following error occurred when attempting to join the domain:
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
Error 0x216d is logged in one of these conditions:
- The user account trying to join the machine to the domain has exceeded the limit of 10 machines joined to the domain.
- There is a GPO restriction to block authenticated users from joining a machine to the domain.
The cause: Autopilot Hybrid Join ODJ Failed With Error 8007002
So, the next action will be to check the permission for both connector servers if it applied correctly on the OU
After checking the permission explained on this Microsoft doc
I can see the permission applied for ODJ1 only but not for ODJ2 which the one got the request
The solution: Autopilot Hybrid Join ODJ Failed With Error 8007002
as mentioned on the post explaining the flow
it is essential for all your active connectors to possess identical permissions on all the specified OUs in your Domain Join configuration profiles.
Configuring the right delegated permission for connector server ODJ2 on the OU solved the issue
Discover more of our blog articles for a comprehensive guide and valuable insights!
Leave a Reply