Merge pull request #224612 from b-hchen/live-update-ANF-24416-SRE-AD-doc-updates

prmerger-automator[bot] · web-flow · commit 33e53d464fef · 2023-01-26T18:36:06.000Z
ANF JIRA 24416: SRE requested AD doc updates
diff --git a/articles/azure-netapp-files/configure-ldap-over-tls.md b/articles/azure-netapp-files/configure-ldap-over-tls.md
@@ -12,7 +12,7 @@ ms.service: azure-netapp-files
 ms.workload: storage
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 03/15/2022
+ms.date: 01/25/2023
 ms.author: anfdocs
 ---
 # Configure ADDS LDAP over TLS for Azure NetApp Files
@@ -21,7 +21,8 @@ You can use LDAP over TLS to secure communication between an Azure NetApp Files
 
 ## Considerations
 
-* LDAP over TLS must not be enabled if you are using Azure Active Directory Domain Services (AADDS). AADDS uses LDAPS (port 636) to secure LDAP traffic instead of LDAP over TLS (port 389).  
+* DNS PTR records must exist for each AD DS domain controller assigned to the **AD Site Name** specified in the Azure NetApp Files Active Directory connection.  
+* PTR records must exist for all domain controllers in the site for ADDS LDAP over TLS to function properly.
 
 ## Generate and export root CA certificate 
 
diff --git a/articles/azure-netapp-files/create-active-directory-connections.md b/articles/azure-netapp-files/create-active-directory-connections.md
@@ -12,7 +12,7 @@ ms.service: azure-netapp-files
 ms.workload: storage
 ms.tgt_pltfrm: na
 ms.topic: how-to
-ms.date: 11/28/2022
+ms.date: 01/25/2023
 ms.author: anfdocs
 ---
 # Create and manage Active Directory connections for Azure NetApp Files
@@ -137,6 +137,9 @@ Several features of Azure NetApp Files require that you have an Active Directory
         
         Azure NetApp Files supports LDAP Channel Binding if both LDAP Signing and LDAP over TLS settings options are enabled in the Active Directory Connection. For more information, see [ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023).  
 
+        >[!NOTE]
+        >DNS PTR records for the AD DS machine account(s) must be created in the AD DS **Organizational Unit** specified in the Azure NetApp Files AD connection for LDAP Signing to work.
+
         ![Screenshot of the LDAP signing checkbox.](../media/azure-netapp-files/active-directory-ldap-signing.png) 
 
     * **Allow local NFS users with LDAP**
diff --git a/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md b/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md
@@ -12,7 +12,7 @@ ms.service: azure-netapp-files
 ms.workload: storage
 ms.tgt_pltfrm: na
 ms.topic: conceptual
-ms.date: 01/06/2022
+ms.date: 01/25/2023
 ms.author: anfdocs
 ---
 # Understand guidelines for Active Directory Domain Services site design and planning for Azure NetApp Files
@@ -55,7 +55,6 @@ The required network ports are as follows:
 | NetBIOS name | 138 | UDP |
 | SAM/LSA | 445 | TCP |
 | SAM/LSA | 445 | UDP |
-| w32time | 123 | UDP |
 
 *DNS running on AD DS domain controller
 
@@ -70,9 +69,9 @@ Ensure that you meet the following requirements about the DNS configurations:
     * Ensure that DNS servers have network connectivity to the Azure NetApp Files delegated subnet hosting the Azure NetApp Files volumes.
     * Ensure that network ports UDP 53 and TCP 53 are not blocked by firewalls or NSGs.
 * Ensure that [the SRV records registered by the AD DS Net Logon service](https://social.technet.microsoft.com/wiki/contents/articles/7608.srv-records-registered-by-net-logon.aspx) have been created on the DNS servers.
-* Ensure that the PTR records for the SRV records registered by the AD DS Net Logon service have been created on the DNS servers.
+* Ensure that the PTR records for the AD DS domain controllers used by Azure NetApp Files have been created on the DNS servers.
 * Azure NetApp Files supports standard and secure dynamic DNS updates. If you require secure dynamic DNS updates, ensure that secure updates are configured on the DNS servers.
-* If dynamic DNS updates are not used, you need to manually create A record and PTR records for Azure NetApp Files SMB volumes.
+* If dynamic DNS updates are not used, you need to manually create an A record and a PTR record for the AD DS machine account(s) created in the AD DS **Organizational Unit** (specified in the Azure NetApp Files AD connection) to support Azure NetApp FIles LDAP Signing, LDAP over TLS, SMB, dual-protocol, or Kerberos NFSv4.1 volumes.
 * For complex or large AD DS topologies, [DNS Policies or DNS subnet prioritization may be required to support LDAP enabled NFS volumes](#ad-ds-ldap-discover).  
 
 ### Time source requirements 
