Skip to content

Commit 1f4d345

Browse files
committed
2 parents d174c57 + 416f09f commit 1f4d345

File tree

590 files changed

+7143
-4406
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

590 files changed

+7143
-4406
lines changed

.openpublishing.redirection.json

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3639,7 +3639,7 @@
36393639
},
36403640
{
36413641
"source_path": "articles/key-vault/about-keys-secrets-and-certificates.md",
3642-
"redirect_url": "/azure/key-vault/index.yml",
3642+
"redirect_url": "/azure/key-vault",
36433643
"redirect_document_id": false
36443644
},
36453645
{
@@ -7856,6 +7856,11 @@
78567856
"redirect_url": "/azure/automation/source-control-integration",
78577857
"redirect_document_id": false
78587858
},
7859+
{
7860+
"source_path": "articles/automation/oms-solution-updatemgmt-sccmintegration.md",
7861+
"redirect_url": "/azure/automation/updatemgmt-mecmintegration",
7862+
"redirect_document_id": false
7863+
},
78597864
{
78607865
"source_path": "articles/automation/automation-change-tracking.md",
78617866
"redirect_url": "/azure/automation/change-tracking",
@@ -50418,7 +50423,7 @@
5041850423
},
5041950424
{
5042050425
"source_path": "articles/hdinsight/spark/azure-synapse-analytics-job-definition.md",
50421-
"redirect_url": "../../synapse-analytics/spark/apache-spark-job-definitions.md",
50426+
"redirect_url": "/azure/synapse-analytics/spark/apache-spark-job-definitions",
5042250427
"redirect_document_id": true
5042350428
},
5042450429
{
@@ -51119,6 +51124,11 @@
5111951124
"source_path": "articles/azure-monitor/insights/key-vault-insights-overview.md",
5112051125
"redirect_url": "/azure/azure-monitor/overview",
5112151126
"redirect_document_id": false
51127+
},
51128+
{
51129+
"source_path": "articles/azure-monitor/app/metrics-explorer.md",
51130+
"redirect_url": "/azure/azure-monitor/platform/metrics-charts",
51131+
"redirect_document_id": false
5112251132
},
5112351133
{
5112451134
"source_path": "articles/security/fundamentals/database-best-practices.md",
@@ -51134,6 +51144,11 @@
5113451144
"source_path": "articles/healthcare-apis/configure-local-rbac.md",
5113551145
"redirect_url": "/azure/healthcare-apis/azure-api-for-fhir-additional-settings",
5113651146
"redirect_document_id": false
51147+
},
51148+
{
51149+
"source_path": "articles/media-services/previous/media-services-configure-tricaster-live-encoder.md",
51150+
"redirect_url": "/azure/media-services",
51151+
"redirect_document_id": false
5113751152
}
5113851153
]
5113951154
}

articles/active-directory-domain-services/administration-concepts.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ For more information on the differences in how password policies are applied dep
4545

4646
To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. For security reasons, Azure AD also doesn't store any password credentials in clear-text form. Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.
4747

48-
For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD.
48+
For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The account isn't synchronized from Azure AD to Azure AD DS until the password is changed.
4949

5050
For users synchronized from an on-premises AD DS environment using Azure AD Connect, [enable synchronization of password hashes][hybrid-phs].
5151

articles/active-directory-domain-services/join-ubuntu-linux-vm.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,12 @@ Successfully enrolled machine in realm
151151

152152
If your VM can't successfully complete the domain-join process, make sure that the VM's network security group allows outbound Kerberos traffic on TCP + UDP port 464 to the virtual network subnet for your Azure AD DS managed domain.
153153

154+
If you received the error *Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)*, open the file */etc/krb5.conf* and add the following code in `[libdefaults]` section and try again:
155+
156+
```console
157+
rdns=false
158+
```
159+
154160
## Update the SSSD configuration
155161

156162
One of the packages installed in a previous step was for System Security Services Daemon (SSSD). When a user tries to sign in to a VM using domain credentials, SSSD relays the request to an authentication provider. In this scenario, SSSD uses Azure AD DS to authenticate the request.

articles/active-directory-domain-services/manage-dns.md

Lines changed: 37 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: Manage DNS for Azure AD Domain Services | Microsoft Docs
3-
description: Learn how to install the DNS Server Tools to manage DNS for an Azure Active Directory Domain Services managed domain.
3+
description: Learn how to install the DNS Server Tools to manage DNS and create conditional forwarders for an Azure Active Directory Domain Services managed domain.
44
author: iainfoulds
55
manager: daveba
66

@@ -9,21 +9,19 @@ ms.service: active-directory
99
ms.subservice: domain-services
1010
ms.workload: identity
1111
ms.topic: how-to
12-
ms.date: 10/31/2019
12+
ms.date: 04/16/2020
1313
ms.author: iainfou
1414

1515
---
16-
# Administer DNS in an Azure AD Domain Services managed domain
16+
# Administer DNS and create conditional forwarders in an Azure AD Domain Services managed domain
1717

1818
In Azure Active Directory Domain Services (Azure AD DS), a key component is DNS (Domain Name Resolution). Azure AD DS includes a DNS server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run.
1919

2020
As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the *AAD DC Administrators* group are granted DNS administration privileges on the Azure AD DS managed domain and can create and edit custom DNS records.
2121

22-
In a hybrid environment, DNS zones and records configured in an on-premises AD DS environment aren't synchronized to Azure AD DS. To define and use your own DNS entries, create records in the Azure AD DS DNS server or use conditional forwarders that point to existing DNS servers in your environment.
22+
In a hybrid environment, DNS zones and records configured in other DNS namespaces, such as an on-premises AD DS environment, aren't synchronized to Azure AD DS. To resolve named resources in other DNS namespaces, create and use conditional forwarders that point to existing DNS servers in your environment.
2323

24-
This article shows you how to install the DNS Server tools then use the DNS console to manage records in Azure AD DS.
25-
26-
[!INCLUDE [active-directory-ds-prerequisites.md](../../includes/active-directory-ds-prerequisites.md)]
24+
This article shows you how to install the DNS Server tools then use the DNS console to manage records and create conditional forwarders in Azure AD DS.
2725

2826
## Before you begin
2927

@@ -35,6 +33,8 @@ To complete this article, you need the following resources and privileges:
3533
* If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
3634
* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
3735
* If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
36+
* Connectivity from your Azure AD DS virtual network to where your other DNS namespaces are hosted.
37+
* This connectivity can be provided with an [Azure ExpressRoute][expressroute] or [Azure VPN Gateway][vpn-gateway] connection.
3838
* A Windows Server management VM that is joined to the Azure AD DS managed domain.
3939
* If needed, complete the tutorial to [create a Windows Server VM and join it to a managed domain][create-join-windows-vm].
4040
* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
@@ -52,7 +52,7 @@ To create and modify DNS records in Azure AD DS, you need to install the DNS Ser
5252
1. On the **Server Roles** page, click **Next**.
5353
1. On the **Features** page, expand the **Remote Server Administration Tools** node, then expand the **Role Administration Tools** node. Select **DNS Server Tools** feature from the list of role administration tools.
5454

55-
![Choose to install the DNS Server Tools from the list of available role administration tools](./media/active-directory-domain-services-admin-guide/install-rsat-server-manager-add-roles-dns-tools.png)
55+
![Choose to install the DNS Server Tools from the list of available role administration tools](./media/manage-dns/install-dns-tools.png)
5656

5757
1. On the **Confirmation** page, select **Install**. It may take a minute or two to install the Group Policy Management tools.
5858
1. When feature installation is complete, select **Close** to exit the **Add Roles and Features** wizard.
@@ -67,15 +67,40 @@ With the DNS Server tools installed, you can administer DNS records on the Azure
6767
1. From the Start screen, select **Administrative Tools**. A list of available management tools is shown, including **DNS** installed in the previous section. Select **DNS** to launch the DNS Management console.
6868
1. In the **Connect to DNS Server** dialog, select **The following computer**, then enter the DNS domain name of the managed domain, such as *aaddscontoso.com*:
6969

70-
![Connect to the Azure AD DS managed domain in the DNS console](./media/active-directory-domain-services-admin-guide/dns-console-connect-to-domain.png)
70+
![Connect to the Azure AD DS managed domain in the DNS console](./media/manage-dns/connect-dns-server.png)
7171

7272
1. The DNS Console connects to the specified Azure AD DS managed domain. Expand the **Forward Lookup Zones** or **Reverse Lookup Zones** to create your required DNS entries or edit existing records as needed.
7373

74-
![DNS Console - administer domain](./media/active-directory-domain-services-admin-guide/dns-console-managed-domain.png)
74+
![DNS Console - administer domain](./media/manage-dns/dns-manager.png)
7575

7676
> [!WARNING]
7777
> When you manage records using the DNS Server tools, make sure that you don't delete or modify the built-in DNS records that are used by Azure AD DS. Built-in DNS records include domain DNS records, name server records, and other records used for DC location. If you modify these records, domain services are disrupted on the virtual network.
7878
79+
## Create conditional forwarders
80+
81+
An Azure AD DS DNS zone should only contain the zone and records for the managed domain itself. Don't create additional zones in Azure AD DS to resolve named resources in other DNS namespaces. Instead, use conditional forwarders in the Azure AD DS managed domain to tell the DNS server where to go in order to resolve addresses for those resources.
82+
83+
A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as *contoso.com*, to forward queries to. Instead of the local DNS server trying to resolve queries for records in that domain, DNS queries are forwarded to the configured DNS for that domain. This configuration makes sure that the correct DNS records are returned, as you don't create a local a DNS zone with duplicate records in the Azure AD DS managed domain to reflect those resources.
84+
85+
To create a conditional forwarder in your Azure AD DS managed domain, complete the following steps:
86+
87+
1. Select your Azure AD DS DNS zone, such as *aaddscontoso.com*.vb
88+
1. Select **Conditional Forwarders**, then right-select and choose **New Conditional Forwarder...**
89+
1. Enter your other **DNS Domain**, such as *contoso.com*, then enter the IP addresses of the DNS servers for that namespace, as shown in the following example:
90+
91+
![Add and configure a conditional forwarder for the DNS server](./media/manage-dns/create-conditional-forwarder.png)
92+
93+
1. Check the box for **Store this conditional forwarder in Active Directory, and replicate it as follows**, then select the option for *All DNS servers in this domain*, as shown in the following example:
94+
95+
![DNS Console - administer domain](./media/manage-dns/store-in-domain.png)
96+
97+
> [!IMPORTANT]
98+
> If the conditional forwarder is stored in the *forest* instead of the *domain*, the conditional forwarder fails.
99+
100+
1. To create the conditional forwarder, select **OK**.
101+
102+
Name resolution of the resources in other namespaces from VMs connected to the Azure AD DS managed domain should now resolve correctly. Queries for the DNS domain configured in the conditional forwarder are passed to the relevant DNS servers.
103+
79104
## Next steps
80105

81106
For more information about managing DNS, see the [DNS tools article on Technet](https://technet.microsoft.com/library/cc753579.aspx).
@@ -84,6 +109,8 @@ For more information about managing DNS, see the [DNS tools article on Technet](
84109
[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
85110
[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
86111
[create-azure-ad-ds-instance]: tutorial-create-instance.md
112+
[expressroute]: ../expressroute/expressroute-introduction.md
113+
[vpn-gateway]: ../vpn-gateway/vpn-gateway-about-vpngateways.md
87114
[create-join-windows-vm]: join-windows-vm.md
88115
[tutorial-create-management-vm]: tutorial-create-management-vm.md
89116
[connect-windows-server-vm]: join-windows-vm.md#connect-to-the-windows-server-vm
32.2 KB
Loading
24.6 KB
Loading
79.3 KB
Loading
134 KB
Loading
36.9 KB
Loading

articles/active-directory-domain-services/network-considerations.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -105,11 +105,12 @@ The following network security group rules are required for Azure AD DS to provi
105105
| 443 | TCP | AzureActiveDirectoryDomainServices | Any | Allow | Yes | Synchronization with your Azure AD tenant. |
106106
| 3389 | TCP | CorpNetSaw | Any | Allow | Yes | Management of your domain. |
107107
| 5986 | TCP | AzureActiveDirectoryDomainServices | Any | Allow | Yes | Management of your domain. |
108-
| 636 | TCP | Any | Any | Allow | No | Only enabled when you configure secure LDAP (LDAPS). |
109108

110109
> [!WARNING]
111110
> Don't manually edit these network resources and configurations. When you associate a misconfigured network security group or a user defined route table with the subnet in which Azure AD DS is deployed, you may disrupt Microsoft's ability to service and manage the domain. Synchronization between your Azure AD tenant and your Azure AD DS managed domain is also disrupted.
112111
>
112+
> If you use secure LDAP, you can add the required TCP port 636 rule to allow external traffic if needed. Adding this rule doesn't place your network security group rules in an unsupported state. For more information, see [Lock down secure LDAP access over the internet](tutorial-configure-ldaps.md#lock-down-secure-ldap-access-over-the-internet)
113+
>
113114
> Default rules for *AllowVnetInBound*, *AllowAzureLoadBalancerInBound*, *DenyAllInBound*, *AllowVnetOutBound*, *AllowInternetOutBound*, and *DenyAllOutBound* also exist for the network security group. Don't edit or delete these default rules.
114115
>
115116
> The Azure SLA doesn't apply to deployments where an improperly configured network security group and/or user defined route tables have been applied that blocks Azure AD DS from updating and managing your domain.

0 commit comments

Comments
 (0)