MicrosoftDocs
diff --git a/‎articles/active-directory/authentication/how-to-mfa-number-match.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory/authentication/how-to-mfa-number-match.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory/cloud-sync/how-to-install.md
Lines changed: 23 additions & 24 deletions b/‎articles/active-directory/cloud-sync/how-to-install.md
Lines changed: 23 additions & 24 deletions
diff --git a/‎articles/active-directory/cloud-sync/tutorial-existing-forest.md
Lines changed: 45 additions & 35 deletions b/‎articles/active-directory/cloud-sync/tutorial-existing-forest.md
Lines changed: 45 additions & 35 deletions
@@ -4,7 +4,7 @@ description: Learn how to use number matching in MFA notifications
 ms.service: active-directory
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/06/2023
+ms.date: 01/13/2023
 ms.author: justinha
 author: mjsantani
 ms.collection: M365-identity-device-management
@@ -64,6 +64,7 @@ AD FS adapter will require number matching on supported versions of Windows Serv
 |---------|--------|
 | Windows Server 2022 | [November 9, 2021—KB5007205 (OS Build 20348.350)](https://support.microsoft.com/topic/november-9-2021-kb5007205-os-build-20348-350-af102e6f-cc7c-4cd4-8dc2-8b08d73d2b31) |
 | Windows Server 2019 | [November 9, 2021—KB5007206 (OS Build 17763.2300)](https://support.microsoft.com/topic/november-9-2021-kb5007206-os-build-17763-2300-c63b76fa-a9b4-4685-b17c-7d866bb50e48) |
+| Windows Server 2016 | [October 12, 2021—KB5006669 (OS Build 14393.4704)](https://support.microsoft.com/topic/october-12-2021-kb5006669-os-build-14393-4704-bcc95546-0768-49ae-bec9-240cc59df384) |
 
 ### NPS extension
 
 
@@ -17,67 +17,66 @@ ms.collection: M365-identity-device-management
 
 This article walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal.
 
->[!IMPORTANT]
->The following installation instructions assume that all the [prerequisites](how-to-prerequisites.md) were met.
+> [!IMPORTANT]
+> The following installation instructions assume that you've met all the [prerequisites](how-to-prerequisites.md).
 
 >[!NOTE]
->This article deals with installing the provisioning agent by using the wizard. For information on installing the Azure AD Connect provisioning agent by using a command-line interface (CLI), see [Install the Azure AD Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md).
+>This article deals with installing the provisioning agent by using the wizard. For information about installing the Azure AD Connect provisioning agent by using a CLI, see [Install the Azure AD Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md).
 
-For more information and an example, see the following video.
+For more information and an example, view the following video:
 
 > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mR]
 
 ## Group Managed Service Accounts
-A Group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. It also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a Group Managed Service Account for running the agent. For more information on a Group Managed Service Account, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).
+A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).
 
 
-### Upgrade an existing agent to use the gMSA
-To upgrade an existing agent to use the Group Managed Service Account created during installation, update the agent service to the latest version by running AADConnectProvisioningAgent.msi. Now run through the installation wizard again and provide the credentials to create the account when prompted.
+### Update an existing agent to use the gMSA
+To update an existing agent to use the Group Managed Service Account created during installation, upgrade the agent service to the latest version by running *AADConnectProvisioningAgent.msi*. Now run through the installation wizard again and provide the credentials to create the account when you're prompted to do so.
 
 ## Install the agent
 
 [!INCLUDE [active-directory-cloud-sync-how-to-install](../../../includes/active-directory-cloud-sync-how-to-install.md)]
 
-## Verify agent installation
+## Verify the agent installation
 
 [!INCLUDE [active-directory-cloud-sync-how-to-verify-installation](../../../includes/active-directory-cloud-sync-how-to-verify-installation.md)]
 
 >[!IMPORTANT]
->The agent has been installed, but it must be configured and enabled before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
+> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
 
 ## Enable password writeback in Azure AD Connect cloud sync 
 
-To use password writeback and enable the self-service password reset (SSPR) service to detect the cloud sync agent, you need to use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and tenant’s global administrator credentials: 
+To use *password writeback* and enable the self-service password reset (SSPR) service to detect the cloud sync agent, use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and the tenant’s global administrator credentials: 
 
   ```   
    Import-Module "C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll" 
    Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)
   ```
 
-For more information on using password writeback with Azure AD Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
+For more information about using password writeback with Azure AD Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
 
-## Installing against US government cloud
+## Install an agent in the US government cloud
 
-By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment.  If you're installing the agent for use in the US government, follow these steps:
+By default, the Azure AD Connect provisioning agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure:
 
-- In step #7 above, instead of select **Open file**, go to start run and navigate to the **AADConnectProvisioningAgentSetup.exe** file.  In the run box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment** and select **Ok**.
+- Instead of selecting **Open file**, select **Start** > **Run**, and then go to the *AADConnectProvisioningAgentSetup.exe* file.  In the **Run** box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment**, and then select **OK**.
 
-    [![Screenshot showing US government cloud install.](media/how-to-install/new-install-12.png)](media/how-to-install/new-install-12.png#lightbox)
+    [![Screenshot that shows how to install an agent in the US government cloud.](media/how-to-install/new-install-12.png)](media/how-to-install/new-install-12.png#lightbox)
 
 ## Password hash synchronization and FIPS with cloud sync
 
-If your server has been locked down according to Federal Information Processing Standard (FIPS), then MD5 is disabled.
-
+If your server has been locked down according to the Federal Information Processing Standard (FIPS), MD5 (message-digest algorithm 5) is disabled.
 
-To enable MD5 for password hash synchronization, perform the following steps:
+To enable MD5 for password hash synchronization, do the following:
 
 1. Go to %programfiles%\Microsoft Azure AD Connect Provisioning Agent.
-2. Open AADConnectProvisioningAgent.exe.config.
-3. Go to the configuration/runtime node at the top of the file.
-4. Add the following node: `<enforceFIPSPolicy enabled="false"/>`
-5. Save your changes.
+1. Open *AADConnectProvisioningAgent.exe.config*.
+1. Go to the configuration/runtime node at the top of the file.
+1. Add the `<enforceFIPSPolicy enabled="false"/>` node.
+1. Save your changes.
 
-For reference, this snippet is what it should look like:
+For reference, your code should look like the following snippet:
 
 ```xml
 <configuration>
@@ -87,7 +86,7 @@ For reference, this snippet is what it should look like:
 </configuration>
 ```
 
-For information about security and FIPS, see [Azure AD password hash sync, encryption, and FIPS compliance](https://blogs.technet.microsoft.com/enterprisemobility/2014/06/28/aad-password-sync-encryption-and-fips-compliance/).
+For more information about security and FIPS, see [Azure AD password hash sync, encryption, and FIPS compliance](https://blogs.technet.microsoft.com/enterprisemobility/2014/06/28/aad-password-sync-encryption-and-fips-compliance/).
 
 
 ## Next steps 
 
@@ -1,5 +1,5 @@
 ---
-title: Tutorial - Integrate an existing forest and a new forest with a single Azure AD tenant using Azure AD Connect cloud sync.
+title: Tutorial - Integrate an existing forest and a new forest with a single Azure AD tenant by using Azure AD Connect cloud sync
 description: Learn how to add cloud sync to an existing hybrid identity environment.
 services: active-directory
 author: billmath
@@ -13,43 +13,53 @@ ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
-# Integrate an existing forest and a new forest with a single Azure AD tenant
+# Tutorial: Integrate an existing forest and a new forest with a single Azure AD tenant
 
 This tutorial walks you through adding cloud sync to an existing hybrid identity environment. 
 
 ![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
 
 You can use the environment you create in this tutorial for testing or for getting more familiar with how a hybrid identity works. 
 
-In this scenario, there's an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You'll set up cloud sync for the new forest. 
+In this scenario, you sync an existing forest with an Azure AD tenant by using Azure Active Directory (Azure AD) Connect. You want to sync a new forest with the same Azure AD tenant. You'll set up cloud sync for the new forest. 
 
 ## Prerequisites
-### In the Azure Active Directory admin center
 
-1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.
-2. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
+Before you begin, set up your environments.
+
+### In the Azure AD admin center
+
+1. Create a cloud-only global administrator account on your Azure AD tenant. 
+
+   This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. [Learn how to add a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Complete this step to ensure that you don't get locked out of your tenant.
+
+1. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
 
 ### In your on-premises environment
 
-1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime 
+1. Identify a domain-joined host server that's running Windows Server 2012 R2 or later, with at least 4 GB of RAM and .NET 4.7.1+ runtime. 
+
+1. If there's a firewall between your servers and Azure AD, configure the following items:
 
-2. If there's a firewall between your servers and Azure AD, configure the following items:
    - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
 
      | Port number | How it's used |
      | --- | --- |
-     | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
-     | **443** | Handles all outbound communication with the service |
-     | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal. |
+     | **80** | Downloads the certificate revocation lists (CRLs) while it validates the TLS/SSL certificate. |
+     | **443** | Handles all outbound communication with the service. |
+     | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure AD portal. |
      
      If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
-   - If your firewall or proxy allows you to specify safe suffixes, then add  connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+
+   - If your firewall or proxy allows you to specify safe suffixes, add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If it doesn't, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+
    - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
-   - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.
+
+   - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Because these URLs are used to validate certificates for other Microsoft products, you might already have these URLs unblocked.
 
 ## Install the Azure AD Connect provisioning agent
 
-If you're using the  [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps: 
+If you're using the [Basic Active Directory and Azure environment](tutorial-basic-ad-azure.md) tutorial, the agent is DC1. To install the agent, do the following: 
 
 [!INCLUDE [active-directory-cloud-sync-how-to-install](../../../includes/active-directory-cloud-sync-how-to-install.md)]
 
@@ -59,43 +69,43 @@ If you're using the  [Basic AD and Azure environment](tutorial-basic-ad-azure.md
 [!INCLUDE [active-directory-cloud-sync-how-to-verify-installation](../../../includes/active-directory-cloud-sync-how-to-verify-installation.md)]
 
 ## Configure Azure AD Connect cloud sync
- Use the following steps to configure provisioning
+
+To configure the cloud sync setup, do the following:
 
 1.  Sign in to the Azure AD portal.
-2.  Select **Azure Active Directory**
-3.  Select **Azure AD Connect**
-4.  Select **Manage cloud sync**
+1.  Select **Azure Active Directory**.
+1.  Select **Azure AD Connect**.
+1.  Select **Manage cloud sync**.
 
-    ![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
+    ![Screenshot that highlights the "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
 
-5.  Select **New Configuration**
+1.  Select **New Configuration**.
 
-    ![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
+    ![Screenshot of the Azure AD Connect cloud sync page, with the "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
 
-7.  On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.
+1.  On the **Configuration** page, enter a **Notification email**, move the selector to **Enable**, and then select **Save**.
 
-    ![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)
+    ![Screenshot of the "Edit provisioning configuration" page.](media/how-to-configure/configure-2.png)
 
 1.  The configuration status should now be **Healthy**.
 
-    ![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)
-
-## Verify users are created and synchronization is occurring
+    ![Screenshot of Azure AD Connect cloud sync page, showing a "Healthy" status.](media/how-to-configure/manage-4.png)
 
-You'll now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant.  This process may take a few hours to complete.  To verify users are synchronized, do the following:
+## Verify that users are created and synchronization is occurring
 
+You'll now verify that the users in your on-premises Active Directory have been synchronized and exist in your Azure AD tenant. This process might take a few hours to complete. To verify that the users are synchronized, do the following:
 
-1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
-2. On the left, select **Azure Active Directory**
-3. Under **Manage**, select **Users**.
-4. Verify that you see the new users in our tenant
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account that has an Azure subscription.
+1. On the left pane, select **Azure Active Directory**.
+1. Under **Manage**, select **Users**.
+1. Verify that the new users are displayed in your tenant.
 
-## Test signing in with one of our users
+## Test signing in with one of your users
 
-1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
-2. Sign in with a user account that was created in our new tenant.  You'll need to sign in using the following format: ([email protected]). Use the same password that the user uses to sign in on-premises.
+1. Go to the [Microsoft My Apps](https://myapps.microsoft.com) page.
+1. Sign in with a user account that was created in your new tenant.  You'll need to sign in by using the following format: *[email protected]*. Use the same password that the user uses to sign in on-premises.
 
-   ![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png)
+   ![Screenshot that shows the My Apps portal with signed-in users.](media/tutorial-single-forest/verify-1.png)
 
 You have now successfully set up a hybrid identity environment that you can use to test and familiarize yourself with what Azure has to offer.