Common DRS Error Codes & Possible Troubleshooting Guides


After we followed the Configure hybrid Azure Active Directory join guides to set up the hybrid AAD join device, we still might encounter issues that our devices are not able to join Azure AD.

We can always use the command dsregcmd /status to check if the device was joined to Azure AD in the Command Prompt.

For Hybrid Azure AD Joined devices, under Device State:

Both AzureAdJoined and DomainJoined value should return YES.

If we did few attempts to Hybrid Join the device but the AzureAdJoined still return NO, we can perform further troubleshooting steps. And in the beginning, let us collect logs from the Event Viewer (eventvwr.msc) > Applications and Services Logs > Microsoft > Windows > User Device RegistrationAdmin

1. Common Errors Codes Combinations and Possible Solutions

User Device Registration – Admin – EventID 304 or 305

AdalResponseCode: 0xcaa1000e
ErrorDescription: The handle is invalid.

Recommended step is to check the AD FS claim rules. It is important to have the AD FS claim rules in the described order and if you have multiple verified domains, do not forget remove any existing IssuerID rule that might have been created by Azure AD Connect or other means. Microsoft also recommends using Azure AD Connect wizard to set up device registration. Other way to configure correct claim rules for your Office 365 Relying Party is to use official AD FS claims generator.

Fallback Sync Join – EventID 304

There could be another senario that thrid party federation services were used, such as Okta, etc. Third party federation services will not support the federated Hybrid Azure AD join, after the federated Hybrid Azure AD join fail it will also return EventID 304 or 305 (Later it will be fallback to sync join, which involves Azure AD Connect and the userCertificate attribute).

Fallback to Hybrid Azure AD Sync Join

User Device Registration – Admin – EventID 305

AdalErrorCode: 0xcaa90006
ErrorDescription: It failed to get token by WS-Trust flow.

Make sure the computer is able to reach and authenticate to specified in the error text description Identity Provider endpoint.

User Device Registration – Admin – EventID 204

ErrorCode: 0x801c03f2 or 0x801c03f3
The device object by the given id (xxx) is not found.

Make sure the on-premises computer object is synchronized to Azure AD. Run the Delta Azure AD Connect Sync PowerShell Command:

Start-ADSyncSyncCycle -PolicyType Delta

User Device Registration – Admin – EventID 204 or 304

ErrorCode: 0x801c03f2
ErrorDescription: The public key user certificate is not found on the device object with id (xxx).

Make sure the userCertificate attribute is selected in the Azure AD Connect “Select Attributes” settings of the on-premises connector.

User Device Registration – Admin – EventID 304 (309, 201 and 233 coming before it) or Debug – EventID 500

ErrorCode (Admin Event 304): 0x801c0021 

Errorcode (Admin Event 201): 0x80072efe
ErrorDescription: The connection with the server was terminated abnormally.

ErrorMessage (Debug Event 500): wmain TenantInfi::Discover failed with error code 0x801c0021

Most likely the network or proxy didn’t allow the connection to Azure AD device registration endpoints or IdP to complete authentication. See the next error description for the recommended troubleshooting steps.

User Device Registration – Debug – EventID 502

ErrorCode (Admin Event 304): 0x80072ee7
ErrorDescription: The server name or address could not be resolved.
ErrorMessage: WinHttpRequest<class DiscoveryHttpRequest>::OnCallback:The callback handling failed with error code:0x80072ee7

Most likely the network or proxy didn’t allow the connection to Azure AD device registration endpoints or IdP to complete authentication. Open a new cmd window as System Account using the psexec tool:

psexec.exe -i -s cmd.exe

You can refer to this post about how to use the psexec tool: Execute Processes Remotely with PsExec Tool

Use the System Account cmd window open a broswer, and try to navigate to:<VerifiedDomain>/enrollmentserver/contract?api-version=1.2 

Replace <VerifiedDomain> with your own verified domain

You should see the list of device registration service endpoints like this.

If there is a failure, you might want to configure the correct Winhttp proxy settings, and test in the same browser window opened as System Account.

User Device Registration – Admin – 0x80004005

wmain: Unable to retrieve access token 0x80004005

Check the AD FS claim rules.

User Device Registration – Admin – 0xCAA90022

ErrorCode: 0xCAA90022
ErrorDescription: Could not discover endpoint for Integrate Windows Authentication.

Check your ADFS settings. It should support Integrate Windows Authentication for WS-Trust 1.3. In case your IdP is not AD FS consult your IdP documentation.

User Device Registration – Admin – 0xCAA9002b

ErrorCode: 0xCAA9002b
ErrorDescription: ADAL – ADALUseWindowsAuthenticationTenant failed, unable to perform integrated auth.

Check your STS settings. It should support Integrate Windows Authentication for WS-Trust 1.3. In case your IdP is not AD FS consult your IdP documentation.

User Device Registration – Admin – 0x801c001d

ErrorCode: 0x801c001d
ErrorDescription: Failed to lookup the registration service information from Active Directory.

Check the Service Connection Point settings in on-premises Active Directory.

User Device Registration – Admin – 0x801c0012 or Debug – 0x801c03e9

ErrorCode: 0x801c0012
ErrorDescription: The discovery operation callback failed with exit code: Unknown HResult Error code 0x801c0012. The server returned HTTP status: 400. 

ErrorCode: 0x801c03e9

The on-premises proxy requiring authentication. Capture network trace while reproducing registration attempt to get more details.

2. Use the Dsregcmd Command with /debug flag to Troubleshoot

dsregcmd /status /debug

We can also use the psexec tool to open a System Account command prompt window to run this command to check if there were errors: