I'm facing a strange issue while migrating machines from Active Directory (AD) to Entra cloud join (not hybrid join). Here's the situation: The Entra-joined machines are meant to connect to our corporate network. The DHCP server assigns DNS settings that point to our local AD domain controllers. We're still in the process of migrating, so we haven't removed the domain controllers yet. These Entra machines don't need to access on-premises resources, but since they are on the same subnet and VLAN as the AD devices, they receive the same DNS configuration.
The problem arises when users connect to the corporate network; they receive repeated notifications asking for their credentials, which only stop when we change the DNS settings on their machines. This suggests that the machines are trying to detect a domain network and may be attempting a hybrid join. It's worth noting that these devices were completely wiped before joining Entra, so there shouldn't be any old domain profiles causing this issue. As a relatively new network admin here with enough experience in AD DNS management, I'm seeking insights from anyone who has encountered this before. I've handled endpoint migrations from AD to Entra several times, but I've never faced this particular problem before.
4 Answers
On a side note, I'm curious about how well Entra-only machines have handled mapped drives in an AD environment in the past. Have you found them reliable when trying to use AD account credentials?
It sounds like those machines are still trying to connect to some internal resource, like a file share or a mapped drive. It's probably a misconfiguration that's causing them to look for something they shouldn't be accessing.
Your initial diagnosis might not be on point. Something on those machines is attempting to access a domain-authenticated resource, like a printer or file share that requires AD authentication. The Entra and AD environments are separate in terms of security, so they shouldn't interact unless explicitly configured to do so. Also, note that DNS isn't a push service; it's only reactive to queries.
Check your DHCP settings. Is it configured to provide an internal domain name? If it is, that could make Windows think the network is different and untrusted. That could lead to those prompts for credentials.
Not necessarily. It's not just about that—sometimes systems can act up due to access attempts to unconnected resources.
Exactly, that's definitely what it sounds like! There might be settings or policies in play that need adjusting.