Some Notes on the Machines

In one swell foop, sync your AD to other domain controllers and Azure. Paste this into administrative Powershell, on the domain controller which does your Azure sync:

repadmin /syncall /AdeP
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial

And here is the same command set, suitable for a batch file to be run as administrator:

repadmin /syncall /AdeP
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Initial"

And one more, also a batch file, transmitting only to Azure, without the LAN-LAN AD sync. Needed when the synchronizer is not run on a domain controller:

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Initial"

This is at the 365 level, not the Exchange level. To connect:

Connect-MgGraph -Scope User.Read.All 

(or User.ReadWrite.All)

To get user info:

Get-MgUser -UserID username@domain.com

To change immutable ID to “a”:

Update-MgUser -UserID username@domain.com -OnPremisesImmutableId "a"

One cannot change ImmutableID to $null, but it can be changed, so an AD/AZ ‘hard match’ is probably still possible. Have not verified yet.

The Exchange Online direct connection from Powershell, does remain, and is freshly updated.

A customer had several of these errors being reported in Azure AD Connect. They were all users which had been converted to cloud-only. Several solutions are on Microsoft and related sites, none worked except this on the domain controller which has AAC:

1. Open administrative Powershell
2. To stop synchronization: set-adsyncscheduler -synccycleenabled $false
3. In the AAC Synchronization Service Manager, click Connectors
4. Right-click on the AD connector, click delete, choose “Deleted connector space only”, click OK
5. Do the same for the Azure connector
6. To restart synchronization: set-adsyncscheduler -synccycleenabled $true
7. In services.msc, restart “Microsoft Azure AD Sync”
8. Reinitialize sync: Start-ADSyncSyncCycle -PolicyType Initial

Here is the command:

repadmin /syncall /AeD

This is a great article:

https://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/

Try this:

netdom query fsmo

Always nice for recoverability in case of.

GUI on Server 2012:

https://blogs.technet.microsoft.com/canitpro/2014/04/30/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012-r2/

Powershell:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target domain.local

This command, run from one domain controller, replicates to all of the others set up for this:

repadmin /syncall /AdeP

This is excellent, GUI:

https://www.microsoft.com/en-us/download/details.aspx?id=30005

Here’s how to set it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser –scriptPath

and how to clear it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser -Clear scriptPath