Adding Additional OUs to AAD Connect Sync Filter

Hello again internet. Had a quick post I wanted to write up on changing or adding new OUs to your AAD Connect sync filter. 

First lets start off with a little background information. After you install AAD Connect by default it runs what is called a 'Delta' sync every 30 minutes. This sync only syncs changes made to objects since the last sync. 

The inverse of this is an 'Initial' sync and runs a full sync against all objects regardless if they have been changed or not. This feature is useful for 2 reason. 

1. Running an Initial sync is like giving AAD Connect the old turn it off and back on. Doing this can actually alleviate certain sync errors. I don't actually believe this is an intended use or feature of the Initial sync but what works in the field isn't always what works on paper.

2. Running an Initial sync will pick up any changes to your object filtering, such as adding or changing what OUs you are syncing. A regular Delta will not do this. 

------------------------------------------------------------------------------

Now that we have that out of the way lets get into how to actually change what OUs you are syncing. The easiest and best way to do this is through the 'Synchronization Service' GUI. If you ever messed with AAD Connects predecessor, Dirsync, then this will look familiar. 

Once you are greeted with the console above you want to go to the Connector button across the top ribbon. When you arrive at this page you want to right click the connector with your local domain name and choose properties. 

Once inside of the properties you want to drop down to Configure Directory Partitions and then choose the Containers button.

You will then be greeted with a login prompt. Enter admin credentials with the proper permissions, which could vary depending on if you used express or custom setup. Once inside you will see a GUI with your AD layout. A simple check of the box, just like what you did during setup, can remove or add any OU. 

Once you have done this you will want to run an Initial sync. You can kick these off from the GUI but its messy. I reccomend using powershell. You can use the command

start-adsyncsynccycle -policytype Initial

Yes that is the word sync in there twice. You can also use this command to do a -policytype Delta switch for those times you want to manually kick off a sync. 

Once you run this Initial sync all the objects in your new OUs should start syncing!

If anyone stumbles upon this hope it helps you out some.

Sites and Microsoft Exchange Active Directory Topology Service

Ran into a weird issue today. The services on my labs Exchange server stopped working. When you try to restart them they error out with the following.

Now checking the dependencies shows that most Microsoft Exchange Services rely on the Microsoft Exchange Active Directory Service. No problem I think so I go to start that service and then I get this error.

After searching for a while and not finding a solution that fixed my issue I began to retrace my steps of what I did in my environment from when Exchange was working and when it went down. One of the things I was doing was deploying an empty test site on my DC.

Now I dont know why an empty test site that was not linked to anything broke my service, but it did. Once I deleted this test site and the test link I was able to start the Microsoft Exchange Active Directoy Topology Service.

Who knew ¯\_(ツ)_/¯.

Forest vs Domain Functional Level

This is another small issue that I spent more time on that I needed.

Noticing a trend yet?

What might not be apparent to some is that domain functional level and forest functional level are changed in two separate yet similar locations. I ran into this when trying to install a 2012 R2 DC into a 2003 environment.

To change the domain functional level you need to do it from AD Domains and Trusts under the domain named object



To make a change to the actual forest functional level you need to go up one area in the tree.


One small click for man, one giant difference for your environment...or something like that, I'm not an astronaut.