Error Joining device to Active Directory. Event ID 4097

Connecting or joining your device to an on-premise active directory is simple. The device must be able to reach the domain controller to create its computer object, and you should have the right permissions, like domain admin, to join that device to the domain.

However, If your device is already connected to the Entra ID, you may receive an error message preventing you from connecting your device to the on-premise active directory. You may see the error message below:

The following error occurred attempting to join the domain <domain name>:
This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school.

An event related to this error is also logged in the event viewer. Event ID is 4097, and Error code is 2700. The exact Error message is: The machine <devicename> attempted to join the domain <domain name> but failed. The error code was 2700.

These error messages and issues can occur on various Windows operating systems, including Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022.

Your device might have silently joined Entra ID due to group policies. Consequently, you may see these errors when connecting the device to the on-premise Active Directory.

To resolve these issues, you must first disconnect the device from the Entra ID organization and then connect it to the on-premises Active Directory. Let’s check the steps:

1. Disconnect the Windows device from Entra ID

To disconnect a Windows device from Entra ID, follow the below steps:

• Click on Start > Settings > Accounts.
• Click on Access work or school
• Click on the Connected Organization and then click on Disconnect.

If you can’t locate your organization under Access work or school which might be the case on a Windows Server OS, you have the option to disconnect the server from Entra ID using the command line.

To do this, start by confirming the Windows Server’s Entra ID join status with the dsregcmd /status command, and then proceed to disconnect the server by using dsregcmd /leave.

Note

• After clicking the Disconnect button, a pop-up message will appear with the following warning: Are you sure you want to remove this account? This action will revoke your access to resources like email, apps, networks, and any associated content. Your organization may also delete certain data stored on this device.

• Click on Yes to proceed further.

• Click on the Disconnect button to Disconnect your device from Entra ID.

• Once you click the Disconnect button, you will be prompted to provide information about an alternative account

• Make sure to create a local administrator account or another alternative account to regain access to your device after it has been disconnected from Entra ID. I’ve created a local user account named ‘jatin’ and added it to the local administrator’s group.

• Type the local account as .\<account name> and provide a password. Click on OK to proceed.

• Click on Restart now to restart the device.

• After the device is restarted, it will prompt you for the password of the local user account you created earlier. Enter the password to sign in to the device.

2. Connect the Device to the on-premise Active directory

Now that our device is disconnected from Entra ID, we can join this device to the on-premise Active Directory. If you wish to confirm the status of your device’s Entra ID connection first, you can also use the command dsregcmd /status.

To connect the device to the on-premise Active Directory, please follow the steps below:

1. Press the Windows key + R to open the Run box.
2. Type sysdm.cpl and press Enter.
3. Click the Change button on the Computer Name tab.
4. Enter your on-premise Active Directory domain’s Fully Qualified Domain Name (FQDN) in the Domain field.
5. Click OK to proceed.

As you can see from the screenshot below, this time, the process was completed successfully. After joining the device to the domain, you will need to restart your device. Once the device restarts, you can log in using your domain credentials.

Disconnecting a Device from Entra ID Using a Command

You can disconnect your Windows device from Entra ID using the command prompt. You can use the dsregcmd /leave command that will have the same effect as going to Settings > Accounts > Access work or school and clicking Disconnect.

Check Entra ID Join Status on my Windows device.

You can open the command prompt and use the command dsregcmd /status to check the status of your device’s connection with Entra ID. Look for the AzureAdJoined value under the Device state. If it shows No, your device is not connected to Entra ID.

Locate Entra ID Join Information in the Registry.

When a device is joined to Entra ID, its information is stored in the Windows Registry. Follow the steps below to locate the Entra ID join information in the registry.

• Press the Windows key + R to open a Run box
• Type regedit and press enter
• Navigate to HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo/{Guid}

Conclusion

In this blog post, we have explored how to address issues related to joining your Windows device to an on-premise Active Directory. We’ve also covered disconnecting your device from Entra ID and verifying its status using the command line.

These steps should help resolve your issue. However, if you experience difficulties connecting to the on-premise Active Directory, you can consult the System Event log, which provides specific details about any related errors.”

READ NEXT

• How to bulk import devices in Entra security group
• 5 Ways To Block An Email Address Or Domain In Office 365.
• Set and retrieve secrets from Key vault using Azure CLI.
• Unable To Login To Azure Virtual Desktop Session Host.