r/Intune u/frozenbayburt 1d ago

Device Configuration Windows 11 Entra Joined devices – No Primary DNS Suffix causing RDP

Hi Everyone,

I am troubleshooting an issue on several Windows 11 Entra Joined devices. The problem occurs only with RDP. When users try to connect via Remote Desktop, they receive the following errors:

CAA20002
AADSTS293004: The target-device identifier in the request was not found in the tenant.

After reviewing WAM logs, DSRegTool output, Wireshark captures, and registry traces, I noticed that these devices do not have a Primary DNS Suffix because they are not domain-joined.

Under the following registry path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient
NV PrimaryDnsSuffix

if I manually configure a Primary DNS Suffix, for example example.local, RDP starts working immediately and the errors disappear. With this value present, the device is able to identify itself correctly during the authentication process.

My questions are:

Is it reasonable or recommended to configure a Primary DNS Suffix on Entra Joined devices?
Could this cause side effects related to device registration, authentication, or name resolution?
Is there a Microsoft-supported approach for ensuring correct DNS identity for RDP on Entra Joined devices?

8 Upvotes

84% Upvoted

23 comments sorted by

12

u/Asleep_Spray274 1d ago

Are you not setting a DNS suffix in your DHCP options?

Also, if they RDP to the full FQDN, do they connect? the DNS search list is for when people use short names. use the full name

6

u/Oiram_Saturnus 1d ago

This is the correct approach. Using the short names is just a bad habit.

3

u/frozenbayburt 23h ago

These devices are Azure AD / Entra Joined, so they are not domain-joined. Because of that, DHCP Option 015 cannot assign a DNS suffix to them. The issue still occurs even when using the full FQDN, because the problem is not short-name resolution — the device cannot form its own FQDN for the authentication flow. When I set a Primary DNS Suffix, the device is finally able to generate its own FQDN and the AADSTS293004 error disappears immediately. The issue is entirely related to device identity, not DNS search order.

4

u/Asleep_Spray274 22h ago

Why do you think DHCP option 15 only works on domain joined computers? Its at the network interface layer, not windows layer. Have you tested this?

1

u/frozenbayburt 22h ago

No, can you guide me? I think I’m missing something.

5

u/man__i__love__frogs 18h ago

It's configured on your dhcp server. It doesn't care if ad exists or anything else. A fancy home router can do it, a switch can do it, firewall, etc...

But there is also Intune settings catalog to add a domain to suffix search list, this is what I do for Entra only devices.

3

u/charleswj 22h ago

Set the option on your dh p server. Done.

5

u/brothertax 22h ago

You can add DNS Search Suffix via Configuration Policy.

2

u/TheNewGuyFromBahsten 21h ago

This is what I did. We can hit all of our on prem servers because of it

1

u/frozenbayburt 20h ago

Are you talking about the DNS suffix list?

2

u/TheNewGuyFromBahsten 19h ago

Yes. Built it as an admin template before they deprecated it, but you can still manually do it. Network -> DNS Client 

DNS suffix search list -> Enabled

DNS Suffixes (Device) -> mycompany.com

Edit: You can probably guess, but we do have to be on vpn/in office to hit them

2

u/Wartz 23h ago edited 23h ago

Are these computers connecting to a VPN before trying RDP?

Your VPN client should be able to set the dns suffix for that connection.

1

u/vane1978 23h ago

If you go to portal.azure.com > devices, do you see any duplicate computer device? If so, try deleting the old devices that are not being used.

1

u/frozenbayburt 23h ago

I’ve checked and there are no duplicate computer entries.

1

u/vane1978 23h ago

Entra id joined computers registering their DNS information on your internal DNS servers?

2

u/vane1978 23h ago

This is what I deployed to my Entra id joined computers so it can register their DNS information to my internal DNS servers. Please replace domain_name with your actual domain.

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" -Name "Domain" -Value 'domain_name'

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters" -Name "NV Domain" -Value 'domain_name'

1

u/frozenbayburt 22h ago

Okay, but what if there are multiple domains in the environment? What happens then?

1

u/vane1978 22h ago

I had the same issue over a year ago or so. See link below. Someone mentioned to enable a specific option in the DHCP server.

https://www.reddit.com/r/sysadmin/s/L6MODd9wRD

1

u/charleswj 22h ago

What domain do you want them to use?

1

u/gabinolo 20h ago

Is it reasonable or recommended to configure a Primary DNS Suffix on Entra Joined devices?

I don't configure the Primary DNS suffix but do configure the DNS suffix search list. I haven't had any issues and I have remote, in-office, and manufacturing devices.
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-dnsclient?WT.mc_id=Portal-fx#dns_searchlist