Synchronization problem after demotion old Domain Controller

Hello there.
We made some changes in our Active Directory. Replaced one of Domain Controller to new, with adding and demote.
Earlier, AD Connector was mapped to this old DC. Before demotion we replaced it to new ad host in config, and upload root certificate of domain.

But now sync works only from LDAP to AD. Any changes from AD doesn’t goes to UCS.
In /var/log/univention/connector.log with 3 level verbosity we see only messages like:
08.02.2022 23:18:00.381 LDAP (INFO ): Search AD with filter: (uSNCreated>=3844888)
08.02.2022 23:18:00.382 LDAP (INFO ): Search AD with filter: (uSNChanged>=3844888)
08.02.2022 23:18:05.419 LDAP (INFO ): Search AD with filter: (uSNCreated>=3844888)
And other rejected messages from ucs->ad

At connector-status.log :
try to sync 0 changes from AD

I cant see ucs machine account in active directory, and suppose it was configured to synchronization bidirectional mode.
5 hrs of trying was doomed. Can somebody help me?

Solved: