Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into lboutboundrulesposh

Author: asudbring

articles/active-directory-domain-services/TOC.yml

@@ -95,22 +95,22 @@
       items:
         - name: Common errors
           href: troubleshoot.md
-        - name: Common alerts
+        - name: Mismatched tenant errors
+          href: mismatched-tenant-error.md
+        - name: Suspended domains
+          href: suspension.md
+        - name: Secure LDAP
+          href: tshoot-ldaps.md
+        - name: Known issues
           items:
             - name: Common alerts
               href: troubleshoot-alerts.md
-            - name: Fix a broken network configuration
+            - name: Network alerts
               href: alert-nsg.md
-            - name: Restore missing service principals
+            - name: Service principal alerts
               href: alert-service-principal.md
             - name: Secure LDAP alerts
               href: alert-ldaps.md
-        - name: Mismatched tenant errors
-          href: mismatched-tenant-error.md
-        - name: Suspended domains
-          href: suspension.md
-        - name: Secure LDAP
-          href: tshoot-ldaps.md
 - name: Resources
   items:
     - name: FAQs

articles/active-directory-domain-services/alert-ldaps.md

@@ -1,64 +1,62 @@
 ---
-title: 'Azure Active Directory Domain Services: Troubleshoot secure LDAP | Microsoft Docs'
-description: Troubleshooting Secure LDAP for Azure AD Domain Services
+title: Resolve secure LDAP alerts in Azure AD Domain Services | Microsoft Docs
+description: Learn how to troubleshoot and resolve common alerts with secure LDAP for Azure Active Directory Domain Services.
 services: active-directory-ds
-documentationcenter: ''
 author: iainfoulds
-manager:
-editor:
+manager: daveba
 
 ms.assetid: 81208c0b-8d41-4f65-be15-42119b1b5957
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
-ms.topic: conceptual
-ms.date: 05/22/2019
+ms.topic: troubleshooting
+ms.date: 09/18/2019
 ms.author: iainfou
 
 ---
-# Azure AD Domain Services - Troubleshooting Secure LDAP configuration
+# Known issues: Secure LDAP alerts in Azure Active Directory Domain Services
 
-This article provides resolutions for common issues when [configuring secure LDAP](tutorial-configure-ldaps.md) for Azure AD Domain Services.
+Applications and services that use lightweight directory access protocol (LDAP) to communicate with Azure Active Directory Domain Services (Azure AD DS) can be [configured to use secure LDAP](tutorial-configure-ldaps.md). An appropriate certificate and required network ports must be open for secure LDAP to work correctly.
 
-## AADDS101: Secure LDAP Network Security Group configuration
+This article helps you understand and resolve common alerts with secure LDAP access in Azure AD DS.
 
-**Alert message:**
+## AADDS101: Secure LDAP network security group configuration
+
+### Alert message
 
 *Secure LDAP over the internet is enabled for the managed domain. However, access to port 636 is not locked down using a network security group. This may expose user accounts on the managed domain to password brute-force attacks.*
 
-### Secure LDAP port
+### Resolution
+
+When you enable secure LDAP, it's recommended to create additional rules that restrict inbound LDAPS access to specific IP addresses. These rules protect the Azure AD DS managed domain from brute force attacks. To update the network security group to restrict TCP port 636 access for secure LDAP, complete the following steps:
 
-When secure LDAP is enabled, we recommend creating additional rules to allow inbound LDAPS access only from certain IP addresses. These rules protect your domain from brute force attacks that could pose a security threat. Port 636 allows access to your managed domain. Here is how to update your NSG to allow access for Secure LDAP:
+1. In the Azure portal, search for and select **Network security groups**.
+1. Choose the network security group associated with your managed domain, such as *AADDS-contoso.com-NSG*, then select **Inbound security rules**
+1. **+ Add** a rule for TCP port 636. If needed, select **Advanced** in the window to create a rule.
+1. For the **Source**, choose *IP Addresses* from the drop-down menu. Enter the source IP addresses that you want to grant access for secure LDAP traffic.
+1. Choose *Any* as the **Destination**, then enter *636* for **Destination port ranges**.
+1. Set the **Protocol** as *TCP* and the **Action** to *Allow*.
+1. Specify the priority for the rule, then enter a name such as *RestrictLDAPS*.
+1. When ready, select **Add** to create the rule.
 
-1. Navigate to the [Network Security Groups tab](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.Network%2FNetworkSecurityGroups) in the Azure portal
-2. Choose the NSG associated with your domain from the table.
-3. Click on **Inbound security rules**
-4. Create the port 636 rule
-   1. Click **Add** on the top navigation bar.
-   2. Choose **IP Addresses** for the source.
-   3. Specify the Source port ranges for this rule.
-   4. Input "636" for Destination port ranges.
-   5. Protocol is **TCP**.
-   6. Give the rule an appropriate name, description, and priority. This rule's priority should be higher than your "Deny all" rule's priority, if you have one.
-   7. Click **OK**.
-5. Verify that your rule has been created.
-6. Check your domain's health in two hours to ensure that you have completed the steps correctly.
+The Azure AD DS managed domain's health automatically updates itself within two hours and removes the alert.
 
 > [!TIP]
-> Port 636 is not the only rule needed for Azure AD Domain Services to run smoothly. To learn more, visit the [Networking guidelines](network-considerations.md) or [Troubleshoot NSG configuration](alert-nsg.md) articles.
->
+> TCP port 636 isn't the only rule needed for Azure AD DS to run smoothly. To learn more, see the [Azure AD DS Network security groups and required ports](network-considerations.md#network-security-groups-and-required-ports).
 
 ## AADDS502: Secure LDAP certificate expiring
 
-**Alert message:**
+### Alert message
 
 *The secure LDAP certificate for the managed domain will expire on [date]].*
 
-**Resolution:**
+### Resolution
+
+Create a replacement secure LDAP certificate by following the steps to [create a certificate for secure LDAP](tutorial-configure-ldaps.md#create-a-certificate-for-secure-ldap). Apply the replacement certificate to Azure AD DS, and distribute the certificate to any clients that connect using secure LDAP.
+
+## Next steps
 
-Create a new secure LDAP certificate by following the steps outlined in the [Configure secure LDAP](tutorial-configure-ldaps.md) article.
+If you still have issues, [open an Azure support request][azure-support] for additional troubleshooting assistance.
 
-## Contact us
-Contact the Azure Active Directory Domain Services product team to [share feedback or for support](contact-us.md).
+<!-- INTERNAL LINKS -->
+[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md

articles/active-directory-domain-services/alert-nsg.md

@@ -1,57 +1,86 @@
 ---
-title: 'Azure Active Directory Domain Services: Troubleshoot network security groups | Microsoft Docs'
-description: Troubleshooting network security group configuration for Azure AD Domain Services
+title: Resolve network security group alerts in Azure AD DS | Microsoft Docs
+description: Learn how to troubleshoot and resolve network security group configuration alerts for Azure Active Directory Domain Services
 services: active-directory-ds
-documentationcenter: ''
 author: iainfoulds
-manager:
-editor:
+manager: daveba
 
 ms.assetid: 95f970a7-5867-4108-a87e-471fa0910b8c
 ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
-ms.topic: article
-ms.date: 05/22/2019
+ms.topic: troubleshooting
+ms.date: 09/19/2019
 ms.author: iainfou
 
 ---
-# Troubleshoot invalid networking configuration for your managed domain
-This article helps you troubleshoot and resolve network-related configuration errors that result in the following alert message:
+# Known issues: Network configuration alerts in Azure Active Directory Domain Services
+
+To let applications and services correctly communicate with Azure Active Directory Domain Services (Azure AD DS), specific network ports must be open to allow traffic to flow. In Azure, you control the flow of traffic using network security groups. The health status of an Azure AD DS managed domain shows an alert if the required network security group rules aren't in place.
+
+This article helps you understand and resolve common alerts for network security group configuration issues.
 
 ## Alert AADDS104: Network error
-**Alert message:**
- *Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user-defined route that blocks incoming traffic from the internet.*
 
-Invalid NSG configurations are the most common cause of network errors for Azure AD Domain Services. The Network Security Group (NSG) configured for your virtual network must allow access to [specific ports](network-considerations.md#network-security-groups-and-required-ports). If these ports are blocked, Microsoft cannot monitor or update your managed domain. Additionally, synchronization between your Azure AD directory and your managed domain is impacted. While creating your NSG, keep these ports open to avoid interruption in service.
+### Alert message
+
+*Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user-defined route that blocks incoming traffic from the internet.*
+
+Invalid network security group rules are the most common cause of network errors for Azure AD DS. The network security group for the virtual network must allow access to specific ports and protocols. If these ports are blocked, the Azure platform can't monitor or update the managed domain. The synchronization between the Azure AD directory and Azure AD DS managed domain is also impacted. Make sure you keep the default ports open to avoid interruption in service.
 
-### Checking your NSG for compliance
+## Default security rules
 
-1. Navigate to the [Network security groups](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.Network%2FNetworkSecurityGroups) page in the Azure portal
-2. From the table, choose the NSG associated with the subnet in which your managed domain is enabled.
-3. Under **Settings** in the left-hand panel, click **Inbound security rules**
-4. Review the rules in place and identify which rules are blocking access to [these ports](network-considerations.md#network-security-groups-and-required-ports)
-5. Edit the NSG to ensure compliance by either deleting the rule, adding a rule, or creating a new NSG entirely. Steps to [add a rule](#add-a-rule-to-a-network-security-group-using-the-azure-portal) or create a new, compliant NSG are below
+The following default inbound and outbound security rules are applied to the network security group for an Azure AD DS managed domain. These rules keep Azure AD DS secure and allow the Azure platform to monitor, manage, and update the managed domain. You may also have an additional rule that allows inbound traffic if you [configure secure LDAP][configure-ldaps].
 
-## Sample NSG
-The following table depicts a sample NSG that would keep your managed domain secure while allowing Microsoft to monitor, manage, and update information.
+### Inbound security rules
 
-![sample NSG](./media/active-directory-domain-services-alerts/default-nsg.png)
+| Priority | Name | Port | Protocol | Source | Destination | Action |
+|----------|------|------|----------|--------|-------------|--------|
+| 101      | AllowSyncWithAzureAD | 443 | TCP | AzureActiveDirectoryDomainServices | Any | Allow |
+| 201      | AllowRD | 3389 | TCP | CorpNetSaw | Any | Allow |
+| 301      | AllowPSRemoting | 5986| TCP | AzureActiveDirectoryDomainServices | Any | Allow |
+| 65000    | AllVnetInBound | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
+| 65001    | AllowAzureLoadBalancerInBound | Any | Any | AzureLoadBalancer | Any | Allow |
+| 65500    | DenyAllInBound | Any | Any | Any | Any | Deny |
+
+### Outbound security rules
+
+| Priority | Name | Port | Protocol | Source | Destination | Action |
+|----------|------|------|----------|--------|-------------|--------|
+| 65000    | AllVnetOutBound | Any | Any | VirtualNetwork | VirtualNetwork | Allow |
+| 65001    | AllowAzureLoadBalancerOutBound | Any | Any |  Any | Internet | Allow |
+| 65500    | DenyAllOutBound | Any | Any | Any | Any | Deny |
 
 >[!NOTE]
-> Azure AD Domain Services requires unrestricted outbound access from the virtual network. We recommend not to create any additional NSG rule that restricts outbound access for the virtual network.
+> Azure AD DS needs unrestricted outbound access from the virtual network. We don't recommend that you create any additional rules that restrict outbound access for the virtual network.
+
+## Verify and edit existing security rules
+
+To verify the existing security rules and make sure the default ports are open, complete the following steps:
+
+1. In the Azure portal, search for and select **Network security groups**.
+1. Choose the network security group associated with your managed domain, such as *AADDS-contoso.com-NSG*.
+1. On the **Overview** page, the existing inbound and outbound security rules are shown.
+
+    Review the inbound and outbound rules and compare to the list of required rules in the previous section. If needed, select and then delete any custom rules that block required traffic. If any of the required rules are missing, add a rule in the next section.
+
+    After you add or delete rules to allow the required traffic, the Azure AD DS managed domain's health automatically updates itself within two hours and removes the alert.
+
+### Add a security rule
+
+To add a missing security rule, complete the following steps:
+
+1. In the Azure portal, search for and select **Network security groups**.
+1. Choose the network security group associated with your managed domain, such as *AADDS-contoso.com-NSG*.
+1. Under **Settings** in the left-hand panel, click *Inbound security rules* or *Outbound security rules* depending on which rule you need to add.
+1. Select **Add**, then create the required rule based on the port, protocol, direction, etc. When ready, select **OK**.
 
-## Add a rule to a Network Security Group using the Azure portal
-If you do not want to use PowerShell, you can manually add single rules to NSGs using the Azure portal. To create rules in your Network security group, complete the following steps:
+It takes a few moments for the security rule to be added and show in the list.
 
-1. Navigate to the [Network security groups](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.Network%2FNetworkSecurityGroups) page in the Azure portal.
-2. From the table, choose the NSG associated with the subnet in which your managed domain is enabled.
-3. Under **Settings** in the left-hand panel, click either **Inbound security rules** or **Outbound security rules**.
-4. Create the rule by clicking **Add** and filling in the information. Click **OK**.
-5. Verify your rule has been created by locating it in the rules table.
+## Next steps
 
+If you still have issues, [open an Azure support request][azure-support] for additional troubleshooting assistance.
 
-## Need help?
-Contact the Azure Active Directory Domain Services product team to [share feedback or for support](contact-us.md).
+<!-- INTERNAL LINKS -->
+[azure-support]: ../active-directory/fundamentals/active-directory-troubleshooting-support-howto.md
+[configure-ldaps]: tutorial-configure-ldaps.md