Hybrid Domain Join
May 12, 2021 | by bgarmon
Hybrid Domain Join means your computer has a computer object record in Active Directory (AD) and a computer object record in Azure Active Directory (AAD). Here is how to setup the Active Directory to support this:
The 3 Steps Involved:
- Update AD Group Objects
- Azure AD Connect Configuration
- Enable Device Registration
Update AD Group Policy Objects
It is assumed you already have an AD Domain configured and functional. This step is about making sure you have the latest Group Policy Object (GPO) Policy Definition Files to enable Hybrid Domain Join.
There are some whacky things about AD that seem to defy conventional logic. One example of this is Group Policy Object (GPO) management. We now get 2 new versions of Windows 10 each year and with each new version come a new set of configuration options. When Windows 10 devices are joined to a domain, the primary configuration method for the device is going to be the AD GPO’s. One would think the GPOs would get updated with the new configuration options automatically by Windows Update, but they do not. Instead, IT Administrators must follow an overly complex process to update what Microsoft calls the Policy Definition Files. Microsoft creates thousands of definition files for each major build of Windows 10 and each one is stored in a file extension of *.ADMX. These files are bundled into a *.MSI available from Microsoft’s website. The advantage of this methodology is that IT Admins can choose to update All or only some of the *.ADMX files based on their specific configuration requirements. But for Hybrid Domain Join to function, your Domain Controller needs to be running the Windows 10 1803 or newer Policy Definition Files. Here’s what you need to do to update these:
- There are currently 6 versions of the Policy Definition Files, one for each major build of Windows 10. The good news is that they are backward compatible so you should only need the latest one but grab the one that matches the highest level of Windows 10 you have deployed. The bad news is that you’ll need to remember to repeat this process every time a new build of Windows 10 is released (aka every 6 months or so). Here is the link to Microsoft’s website to download the 20H2 version of the files:
- The Administrative Templates (.admx) for Windows 10 October 2020 Update.msi should be run on your Domain Controller. Double-click it, click Next a few times and it’s done. But you are not because unlike most .MSI files which actually install a program, running this .MSI does not actually install the files, instead they are just extracted to
C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)\PolicyDefinitions. There’s nothing intuitive about this as the .MSI doesn’t share this fact with you. So now you have to move the files to SYSVOL as described in the next step.
- With the files now extracted, use Windows File Explorer to copy the contents of the PolicyDefinitions folder from
C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)\PolicyDefinitionsto the
SYSVOL\YOURdomain\Policies\PolicyDefinitions\folder on your DC.
In my lab, my domain is named lab.aftersixcomputers.com so my SYSVOL folder that I need to copy these to is
\\lab.aftersixcomputers.com\SYSVOL\lab.aftersixcomputers.com\Policies\PolicyDefinitions. Adjust your folder path for your domain name.
The end result will look like this:
It’s worth noting that in versions of the MSI targeted at earlier releases of Windows 10, the extracted directory incorrectly added a space between the folder Policy and Definitions, making the folder that gets extracted end up with the name Policy Definitions instead of the required PolicyDefinitions. Make sure your folder does not include a space. This behavior was corrected in the 20H2 release of the MSI, but watch out for this if you are downloading older versions.
- And that’s it! Well, sort of. Depending on your Domain Infrastructure, you’ll need to wait for AD replication to occur so that these new files are replicated across the entire domain. Once AD replication completes you’ve now successfully updated the GPOs to support all the new Windows 10 features.
Azure AD Connect
Microsoft Azure AD Connect is a one-way sync tool of user accounts and other configuration items from AD to Azure AD. What you may not realize about the tool is that Microsoft updates it on a regular basis as they continue to change Azure. The tool does not include any auto-update functionality so you’ll have to download a new .MSI and run through an installation, then a set of configuration tasks to upgrade the existing installation. At the time of this writing 22.214.171.124 was the latest version. If you don’t know which version you have installed from the Windows Server running the tool, open the Start Menu > Settings > Apps and Features and you’ll see the version information under the program entry.
Here’s a link to Microsoft’s Download page for the tool:
Post install and upgrade, you’ll need to make sure you have the Device Options configured to allow Hybrid Domain Join to function. Launch the tool, choose Configure Device Options and walk through the next several configuration screens shown below to enable Hybrid Domain Join functionality.
The next two steps of the wizard require SCP and Federation configuration, a topic I won’t go into detail on here. Microsoft provides additional documentation on this subject here:
With Azure AD Connect now configured to support Hybrid Domain Join, the next step is to configure the AD GPO for Device Registration.
Enable Device Registration
The next step is to configure a new GPO object to enable the Device Registration. Once this is enabled, any Windows 10 device that joins AD will trigger AD Connect to generate a computer object in Azure for the device.
- Open Group Policy Management Editor
- Right-click on your Domain and choose “Create a GPO in this domain, and Link it here…”
- Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration as seen below.
- Enable the setting “Register domain joined computers as devices” as illustrated below
- With this in place, Microsoft recommends a few other things to think about as documented here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-hybrid-azure-ad-join-post-config-tasks
Additional Documentation from Microsoft:
There are all types of ways to complicate this configuration so a few links from Microsoft are included below which cover some of these more complex setups: