Some Notes on the Machines

In one swell foop, sync your AD to other domain controllers and Azure. Paste this into administrative Powershell, on the domain controller which does your Azure sync:

repadmin /syncall /AdeP
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial

And here is the same command set, suitable for a batch file to be run as administrator:

repadmin /syncall /AdeP
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Initial"

This command, run from one domain controller, replicates to all of the others set up for this:

repadmin /syncall /AdeP

This is excellent, GUI:

https://www.microsoft.com/en-us/download/details.aspx?id=30005

Here’s how to set it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser –scriptPath

and how to clear it for all users in xyz.local:

Get-ADUser -Filter * -SearchBase "OU=Main,DC=xyz,DC=local" | Set-ADUser -Clear scriptPath

Always nice for recoverability in case of.

GUI on Server 2012:

https://blogs.technet.microsoft.com/canitpro/2014/04/30/step-by-step-enabling-active-directory-recycle-bin-in-windows-server-2012-r2/

Other:

https://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx

This works well:

import-module activedirectory
get-aduser -filter * | set-aduser -scriptpath filename_in_netlogon.vbs

Run the following within Active Directory Module for Windows PowerShell:

Get-ADobject -LDAPFilter "objectClass=organizationalUnit" -SearchBase "DC=domainname,DC=local" | Set-adobject -ProtectedFromAccidentalDeletion $true

Here’s a great set of steps for these:

http://blog.jocha.se/tech/azure-ad-sync-event-error-6126-and-6127

The short of it is:

1. Bring up the Syncronization Service Manager (“Synchronization Service” in Windows search),
2. Click on Connectors,
3. Click on “Active Directory Domain Services”,
4. Click Run in the right pane, choose Full Synchronization, click OK, and wait for completion to be reported (it’s fairly obvious),
5. Click Run in the right pane, choose Full Import, click OK, and wait for completion to be reported,
6. Click Windows Azure Active Directory,
7. and do the same two Runs as for the other line item.

Some articles:

https://msdn.microsoft.com/en-us/library/windows/desktop/ff384840(v=vs.85).aspx).aspx

https://blogs.technet.microsoft.com/filecab/2014/06/25/the-end-is-nigh-for-frs/

If one has one’s LAN Active Directory synchronized with EOL/Azure, one cannot add secondary email addresses in the EOL console. In this situation:

1. Open ADSIedit from the domain controller
2. Open up the OU containing the user
3. Open the Properties of the user
4. Open the Properties for the item “proxyAddresses”.
5. The primary (the “reply”) email address for the user needs to be specified thus, with caps in the prefix:
   SMTP:user@domain.xyz
6. Secondary email addresses for the user need to be specified thus, with lowercase prefix:
   smtp:alias@domain.xyz
7. Then run the sync or wait for the automatic run, and it’s done!

Also, as a bonus, after the above is done once, user objects in Active Directory Users and Computers get a new tab, “Attributes”, from which the above can be done for other users.