Category: Active Directory

Connect to Microsoft 365 (starting 2023; Microsoft Graph)
article #1535, updated 80 days ago

This is at the 365 level, not the Exchange level. To connect: 

Connect-MgGraph -Scope User.Read.All

(or User.ReadWrite.All)

To get user info: 

Get-MgUser -UserID username@domain.com

To change immutable ID to “a”: 

Update-MgUser -UserID username@domain.com -OnPremisesImmutableId "a"

One cannot change ImmutableID to $null, but it can be changed, so an AD/AZ ‘hard match’ is probably still possible. Have not verified yet.

The Exchange Online direct connection from Powershell, does remain, and is freshly updated.

Categories:      

==============

DeletingCloudOnlyObjectNotAllowed in Azure/AD Synchronization (Connect)
article #1534, updated 124 days ago

A customer had several of these errors being reported in Azure AD Connect. They were all users which had been converted to cloud-only. Several solutions are on Microsoft and related sites, none worked except this on the domain controller which has AAC:

  1. Open administrative Powershell
  2. To stop synchronization: set-adsyncscheduler -synccycleenabled $false
  3. In the AAC Synchronization Service Manager, click Connectors
  4. Right-click on the AD connector, click delete, choose “Deleted connector space only”, click OK
  5. Do the same for the Azure connector
  6. To restart synchronization: set-adsyncscheduler -synccycleenabled $true
  7. In services.msc, restart “Microsoft Azure AD Sync”
  8. Reinitialize sync: Start-ADSyncSyncCycle -PolicyType Initial

Categories:      

==============

Initiate Windows domain controllers' replication
article #1524, updated 165 days ago

Here is the command:

repadmin /syncall /AeD

Categories:      

==============

Migrate a Windows Domain from NtFrs to DFSR
article #1437, updated 802 days ago

This is a great article:

https://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/

Categories:      

==============

Find which servers hold FSMO roles
article #1411, updated 955 days ago

Try this:

netdom query fsmo

Categories:      

==============

Enable Active Directory Recycle Bin
article #1069, updated 1124 days ago

Always nice for recoverability in case of.

GUI on Server 2012:

https://blogs.technet.microsoft.com/canitpro/2014/04/30/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012-r2/

Powershell:

Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target domain.local

Categories:      

==============

Sync AD to DCs and Azure
article #1346, updated 1300 days ago

In one swell foop, sync your AD to other domain controllers and Azure. Paste this into administrative Powershell, on the domain controller which does your Azure sync:

repadmin /syncall /AdeP
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial

And here is the same command set, suitable for a batch file to be run as administrator:

repadmin /syncall /AdeP
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Initial"

Categories:      

==============

Replicate/Sync AD to other domain controllers
article #1335, updated 1417 days ago

This command, run from one domain controller, replicates to all of the others set up for this:

repadmin /syncall /AdeP

Categories:      

==============

The Active Directory Replication Status Tool
article #1296, updated 1587 days ago

This is excellent, GUI:

https://www.microsoft.com/en-us/download/details.aspx?id=30005

Categories:      

==============

Set and clear logon script path for all users in Windows domain
article #1250, updated 1784 days ago

Here’s how to set it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser –scriptPath

and how to clear it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser -Clear scriptPath

Categories: