Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: ecfan

.openpublishing.redirection.json

@@ -3639,7 +3639,7 @@
     },
    {
       "source_path": "articles/key-vault/about-keys-secrets-and-certificates.md",
-      "redirect_url": "/azure/key-vault/index.yml",
+      "redirect_url": "/azure/key-vault",
       "redirect_document_id": false
     },
    {
@@ -7856,6 +7856,11 @@
       "redirect_url": "/azure/automation/source-control-integration",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/automation/oms-solution-updatemgmt-sccmintegration.md",
+      "redirect_url": "/azure/automation/updatemgmt-mecmintegration",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/automation/automation-change-tracking.md",
       "redirect_url": "/azure/automation/change-tracking",
@@ -50418,7 +50423,7 @@
     },
     {
       "source_path": "articles/hdinsight/spark/azure-synapse-analytics-job-definition.md",
-      "redirect_url": "../../synapse-analytics/spark/apache-spark-job-definitions.md",
+      "redirect_url": "/azure/synapse-analytics/spark/apache-spark-job-definitions",
       "redirect_document_id": true
     },
     {
@@ -51119,6 +51124,11 @@
       "source_path": "articles/azure-monitor/insights/key-vault-insights-overview.md",
       "redirect_url": "/azure/azure-monitor/overview",
       "redirect_document_id": false
+    },
+	{
+      "source_path": "articles/azure-monitor/app/metrics-explorer.md",
+      "redirect_url": "/azure/azure-monitor/platform/metrics-charts",
+      "redirect_document_id": false
     },
     {
       "source_path": "articles/security/fundamentals/database-best-practices.md",
@@ -51134,6 +51144,11 @@
       "source_path": "articles/healthcare-apis/configure-local-rbac.md",
       "redirect_url": "/azure/healthcare-apis/azure-api-for-fhir-additional-settings",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/media-services/previous/media-services-configure-tricaster-live-encoder.md",
+      "redirect_url": "/azure/media-services",
+      "redirect_document_id": false
     }
   ]
 }

articles/active-directory-domain-services/administration-concepts.md

@@ -45,7 +45,7 @@ For more information on the differences in how password policies are applied dep
 
 To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. For security reasons, Azure AD also doesn't store any password credentials in clear-text form. Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.
 
-For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD.
+For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The account isn't synchronized from Azure AD to Azure AD DS until the password is changed.
 
 For users synchronized from an on-premises AD DS environment using Azure AD Connect, [enable synchronization of password hashes][hybrid-phs].
 

articles/active-directory-domain-services/join-ubuntu-linux-vm.md

@@ -151,6 +151,12 @@ Successfully enrolled machine in realm
 
 If your VM can't successfully complete the domain-join process, make sure that the VM's network security group allows outbound Kerberos traffic on TCP + UDP port 464 to the virtual network subnet for your Azure AD DS managed domain.
 
+If you received the error *Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)*, open the file */etc/krb5.conf* and add the following code in `[libdefaults]` section and try again:
+
+```console
+rdns=false
+```
+
 ## Update the SSSD configuration
 
 One of the packages installed in a previous step was for System Security Services Daemon (SSSD). When a user tries to sign in to a VM using domain credentials, SSSD relays the request to an authentication provider. In this scenario, SSSD uses Azure AD DS to authenticate the request.

articles/active-directory-domain-services/manage-dns.md

@@ -1,6 +1,6 @@
 ---
 title: Manage DNS for Azure AD Domain Services | Microsoft Docs
-description: Learn how to install the DNS Server Tools to manage DNS for an Azure Active Directory Domain Services managed domain.
+description: Learn how to install the DNS Server Tools to manage DNS and create conditional forwarders for an Azure Active Directory Domain Services managed domain.
 author: iainfoulds
 manager: daveba
 
@@ -9,21 +9,19 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/31/2019
+ms.date: 04/16/2020
 ms.author: iainfou
 
 ---
-# Administer DNS in an Azure AD Domain Services managed domain
+# Administer DNS and create conditional forwarders in an Azure AD Domain Services managed domain
 
 In Azure Active Directory Domain Services (Azure AD DS), a key component is DNS (Domain Name Resolution). Azure AD DS includes a DNS server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run.
 
 As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the *AAD DC Administrators* group are granted DNS administration privileges on the Azure AD DS managed domain and can create and edit custom DNS records.
 
-In a hybrid environment, DNS zones and records configured in an on-premises AD DS environment aren't synchronized to Azure AD DS. To define and use your own DNS entries, create records in the Azure AD DS DNS server or use conditional forwarders that point to existing DNS servers in your environment.
+In a hybrid environment, DNS zones and records configured in other DNS namespaces, such as an on-premises AD DS environment, aren't synchronized to Azure AD DS. To resolve named resources in other DNS namespaces, create and use conditional forwarders that point to existing DNS servers in your environment.
 
-This article shows you how to install the DNS Server tools then use the DNS console to manage records in Azure AD DS.
-
-[!INCLUDE [active-directory-ds-prerequisites.md](../../includes/active-directory-ds-prerequisites.md)]
+This article shows you how to install the DNS Server tools then use the DNS console to manage records and create conditional forwarders in Azure AD DS.
 
 ## Before you begin
 
@@ -35,6 +33,8 @@ To complete this article, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
+* Connectivity from your Azure AD DS virtual network to where your other DNS namespaces are hosted.
+    * This connectivity can be provided with an [Azure ExpressRoute][expressroute] or [Azure VPN Gateway][vpn-gateway] connection.
 * A Windows Server management VM that is joined to the Azure AD DS managed domain.
     * If needed, complete the tutorial to [create a Windows Server VM and join it to a managed domain][create-join-windows-vm].
 * A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
@@ -52,7 +52,7 @@ To create and modify DNS records in Azure AD DS, you need to install the DNS Ser
 1. On the **Server Roles** page, click **Next**.
 1. On the **Features** page, expand the **Remote Server Administration Tools** node, then expand the **Role Administration Tools** node. Select **DNS Server Tools** feature from the list of role administration tools.
 
-    ![Choose to install the DNS Server Tools from the list of available role administration tools](./media/active-directory-domain-services-admin-guide/install-rsat-server-manager-add-roles-dns-tools.png)
+    ![Choose to install the DNS Server Tools from the list of available role administration tools](./media/manage-dns/install-dns-tools.png)
 
 1. On the **Confirmation** page, select **Install**. It may take a minute or two to install the Group Policy Management tools.
 1. When feature installation is complete, select **Close** to exit the **Add Roles and Features** wizard.
@@ -67,15 +67,40 @@ With the DNS Server tools installed, you can administer DNS records on the Azure
 1. From the Start screen, select **Administrative Tools**. A list of available management tools is shown, including **DNS** installed in the previous section. Select **DNS** to launch the DNS Management console.
 1. In the **Connect to DNS Server** dialog, select **The following computer**, then enter the DNS domain name of the managed domain, such as *aaddscontoso.com*:
 
-    ![Connect to the Azure AD DS managed domain in the DNS console](./media/active-directory-domain-services-admin-guide/dns-console-connect-to-domain.png)
+    ![Connect to the Azure AD DS managed domain in the DNS console](./media/manage-dns/connect-dns-server.png)
 
 1. The DNS Console connects to the specified Azure AD DS managed domain. Expand the **Forward Lookup Zones** or **Reverse Lookup Zones** to create your required DNS entries or edit existing records as needed.
 
-    ![DNS Console - administer domain](./media/active-directory-domain-services-admin-guide/dns-console-managed-domain.png)
+    ![DNS Console - administer domain](./media/manage-dns/dns-manager.png)
 
 > [!WARNING]
 > When you manage records using the DNS Server tools, make sure that you don't delete or modify the built-in DNS records that are used by Azure AD DS. Built-in DNS records include domain DNS records, name server records, and other records used for DC location. If you modify these records, domain services are disrupted on the virtual network.
 
+## Create conditional forwarders
+
+An Azure AD DS DNS zone should only contain the zone and records for the managed domain itself. Don't create additional zones in Azure AD DS to resolve named resources in other DNS namespaces. Instead, use conditional forwarders in the Azure AD DS managed domain to tell the DNS server where to go in order to resolve addresses for those resources.
+
+A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as *contoso.com*, to forward queries to. Instead of the local DNS server trying to resolve queries for records in that domain, DNS queries are forwarded to the configured DNS for that domain. This configuration makes sure that the correct DNS records are returned, as you don't create a local a DNS zone with duplicate records in the Azure AD DS managed domain to reflect those resources.
+
+To create a conditional forwarder in your Azure AD DS managed domain, complete the following steps:
+
+1. Select your Azure AD DS DNS zone, such as *aaddscontoso.com*.vb
+1. Select **Conditional Forwarders**, then right-select and choose **New Conditional Forwarder...**
+1. Enter your other **DNS Domain**, such as *contoso.com*, then enter the IP addresses of the DNS servers for that namespace, as shown in the following example:
+
+    ![Add and configure a conditional forwarder for the DNS server](./media/manage-dns/create-conditional-forwarder.png)
+
+1. Check the box for **Store this conditional forwarder in Active Directory, and replicate it as follows**, then select the option for *All DNS servers in this domain*, as shown in the following example:
+
+    ![DNS Console - administer domain](./media/manage-dns/store-in-domain.png)
+
+    > [!IMPORTANT]
+    > If the conditional forwarder is stored in the *forest* instead of the *domain*, the conditional forwarder fails.
+
+1. To create the conditional forwarder, select **OK**.
+
+Name resolution of the resources in other namespaces from VMs connected to the Azure AD DS managed domain should now resolve correctly. Queries for the DNS domain configured in the conditional forwarder are passed to the relevant DNS servers.
+
 ## Next steps
 
 For more information about managing DNS, see the [DNS tools article on Technet](https://technet.microsoft.com/library/cc753579.aspx).
@@ -84,6 +109,8 @@ For more information about managing DNS, see the [DNS tools article on Technet](
 [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
 [associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
 [create-azure-ad-ds-instance]: tutorial-create-instance.md
+[expressroute]: ../expressroute/expressroute-introduction.md
+[vpn-gateway]: ../vpn-gateway/vpn-gateway-about-vpngateways.md
 [create-join-windows-vm]: join-windows-vm.md
 [tutorial-create-management-vm]: tutorial-create-management-vm.md
 [connect-windows-server-vm]: join-windows-vm.md#connect-to-the-windows-server-vm

articles/active-directory-domain-services/media/manage-dns/connect-dns-server.png

@@ -105,11 +105,12 @@ The following network security group rules are required for Azure AD DS to provi
 | 443         | TCP      | AzureActiveDirectoryDomainServices | Any         | Allow  | Yes      | Synchronization with your Azure AD tenant. |
 | 3389        | TCP      | CorpNetSaw                         | Any         | Allow  | Yes      | Management of your domain. |
 | 5986        | TCP      | AzureActiveDirectoryDomainServices | Any         | Allow  | Yes      | Management of your domain. |
-| 636         | TCP      | Any                                | Any         | Allow  | No       | Only enabled when you configure secure LDAP (LDAPS). |
 
 > [!WARNING]
 > Don't manually edit these network resources and configurations. When you associate a misconfigured network security group or a user defined route table with the subnet in which Azure AD DS is deployed, you may disrupt Microsoft's ability to service and manage the domain. Synchronization between your Azure AD tenant and your Azure AD DS managed domain is also disrupted.
 >
+> If you use secure LDAP, you can add the required TCP port 636 rule to allow external traffic if needed. Adding this rule doesn't place your network security group rules in an unsupported state. For more information, see [Lock down secure LDAP access over the internet](tutorial-configure-ldaps.md#lock-down-secure-ldap-access-over-the-internet)
+>
 > Default rules for *AllowVnetInBound*, *AllowAzureLoadBalancerInBound*, *DenyAllInBound*, *AllowVnetOutBound*, *AllowInternetOutBound*, and *DenyAllOutBound* also exist for the network security group. Don't edit or delete these default rules.
 >
 > The Azure SLA doesn't apply to deployments where an improperly configured network security group and/or user defined route tables have been applied that blocks Azure AD DS from updating and managing your domain.