Its simple and straightforward to connect or join your device to on-premise active directory. Device must be able to reach the domain controller to create its computer object and you should have the right permissions like domain admin to be able to join that device to domain.
However, If your device is already connected to Azure Active directory, you may receive an error message which will prevent you to connect your device to on-premise active directory. You may see below error message:
| The following error occured attempting to join the domain <domain name>: |
|---|
| This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school. |
An event is also logged in the event viewer related to this error. Event ID is 4097 and Error code is 2700. Exact Error message is: “The machine <devicename> attempted to join the domain <domain name> but failed. The error code was 2700“
You may see the error message on Windows client OS e.g. Windows 10/Windows 11 or Windows server operating systems e.g. Windows server 2016/Windows server 2019/Windows server 2022 as well.
Your device may have silently join to Azure AD as per the group policies and therefore when you try to connect the device to on-premise active directory, you may receive these errors.
To fix the issues, you will need to disconnect the device from Azure AD organization first and then connect to on-premise active directory. Let’s check the steps:
Disconnect windows device from Azure AD
As I was joining a Windows 10 device to azure AD. I will provide the screenshots / steps from windows 10 computer. However, if you are using any other windows OS e.g. windows server 2019, the steps will remain the same.
- Click on Start > Settings > Accounts.
- Click on Access work or school
- Click on the Connected Organization and then click on Disconnect.
If you are unable to find your organization under Access work or school which could be the case on a Windows server OS. In that case, you can use command line to disconnect the server from Azure AD. First verify Windows server’s Azure AD join status using dsregcmd /status command and then use dsregcmd /leave command to disconnect the server from Azure AD. |
Once you click on Disconnect button, you will receive a pop-up message “Are you sure you want to remove this account? This will remove your access to resources such as email, apps and network, and all contect associated with it. Your organization might also remove some data stored on this device.“
Click on Yes to proceed further.
Click on Disconnect button to Disconnect your device from Azure AD.
After you click on Disconnect button, it will ask to enter information about alternative account.
Please make sure to create a local administrator account or any other alternative account to login back on your device after it has been disconnected from Azure AD. I have created a local user account name jatin and added it to local administrator’s group.
Type the local account as .\<account name> and provide password. Click on OK to proceed.
Click on Restart now to restart the device.
After the device is restarted, its requesting password of the local user account which I had created earlier. Type the password and sign in to the device.
Connect device to on-premise Active directory
Now as our device is disconnected from Azure AD, we can proceed with joining this device to On-premise active directory. If you want to first verify the status of your device Azure AD connection then you can also use a command dsregcmd /status.
Now to connect the device to On-premise active directory, Please follow below steps:
- Press Windows key + R to open Run box.
- Type sysdm.cpl and press enter.
- Click on Change button on Computer Name tab.
- In the Domain field type the FQDN on On-premise active directory domain.
- Click on OK to proceed.
As you can see this time it completed successfully. You will have to restart your device after joining it to the domain. Once the device restarts, you can login on the device using domain credentials.
Can I disconnect my device from Azure AD using command line ?
Yes, you can connect your Windows device from Azure AD using command prompt. You can use dsregcmd /leave command which will also have the same affect as going to Settings > Accounts > Access work or school and clicking on Disconnect in your Azure AD device connection.
How to check the status of Azure AD join on my windows device ?
You can open command prompt and type dsregcmd /status command to check the status of your device connection to Azure AD. Look for AzureAdjoined value under Device state. If it says No, then your device is not connected to Azure AD.
Where to find Azure AD join information in Windows registry ?
When any device is joined to Azure AD, its information is stored in windows registry. You can follow below steps to locate the Azure AD join information in registry:
- Press Windows key + R to open a Run box.
- Type regedit and press enter.
- Navigate to
HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo/{Guid}
Conclusion
In this blog post we have seen how to fix the issues related to joining your windows device to On-premise active directory. How to disconnect your device from Azure AD and how to verify its status using command line. Hopefully this should resolve your issue. However, if you are still having issues connecting to On-premise active directory, you can check System Event log which provides details about that particular error.
READ NEXT
- Create Azure AD Dynamic Device Security Group Using Display Name Property.
- How To Bulk Import Devices In Azure AD Security Group.
- 5 Ways To Block An Email Address Or Domain In Office 365.
- How To Create And Retreive Secrets From Azure Keyvault Using Azure CLI.
- Unable To Login To Azure Virtual Desktop Session Host.