Merge pull request #101340 from iainfoulds/azureadds-skus

[AzureADDS] Move to multiple product SKUs

Author: TedA-M

articles/active-directory-domain-services/TOC.yml

@@ -79,6 +79,8 @@
           href: delete-aadds.md
         - name: Migrate from a Classic deployment (preview)
           href: migrate-from-classic-vnet.md
+        - name: Change SKU
+          href: change-sku.md
     - name: Secure Azure AD DS
       items:
         - name: Secure your managed domain

articles/active-directory-domain-services/administration-concepts.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/08/2019
+ms.date: 01/31/2020
 ms.author: iainfou
 
 ---
@@ -31,7 +31,7 @@ User accounts can be created in Azure AD DS in multiple ways. Most user accounts
 * The user account can be synchronized in from Azure AD. This includes cloud-only user accounts created directly in Azure AD, and hybrid user accounts synchronized from an on-premises AD DS environment using Azure AD Connect.
     * The majority of user accounts in Azure AD DS are created through the synchronization process from Azure AD.
 * The user account can be manually created in an Azure AD DS managed domain, and doesn't exist in Azure AD.
-    * If you need to create service accounts for applications that only run in Azure AD DS, you can manually create them in the managed domain. As synchronization is one-way from Azure AD, user accounts created in Azure AD DS aren't synchronized back to Azure AD.
+    * If you need to create service accounts for applications that only run in Azure AD DS, you can manually create them in the managed domain. As synchronization is one way from Azure AD, user accounts created in Azure AD DS aren't synchronized back to Azure AD.
 
 ## Password policy
 
@@ -71,6 +71,36 @@ In an Azure AD DS *resource* forest, users authenticate over a one-way forest *t
 
 For more information about forest types in Azure AD DS, see [What are resource forests?][concepts-forest] and [How do forest trusts work in Azure AD DS?][concepts-trust]
 
+## Azure AD DS SKUs
+
+In Azure AD DS, the available performance and features are based on the SKU. You select a SKU when you create the managed domain, and you can switch SKUs as your business requirements change after the managed domain has been deployed. The following table outlines the available SKUs and the differences between them:
+
+| SKU name   | Maximum object count | Backup frequency | Maximum number of outbound forest trusts |
+|------------|----------------------|------------------|----|
+| Standard   | Unlimited            | Every 7 days     | 0  |
+| Enterprise | Unlimited            | Every 3 days     | 5  |
+| Premium    | Unlimited            | Daily            | 10 |
+
+Before these Azure AD DS SKUs, a billing model based on the number of objects (user and computer accounts) in the Azure AD DS managed domain was used. There is no longer variable pricing based on the number of objects in the managed domain.
+
+For more information, see the [Azure AD DS pricing page][pricing].
+
+### Managed domain performance
+
+Domain performance varies based on how authentication is implemented for an application. Additional compute resources may help improve query response time and reduce time spent in sync operations. As the SKU level increases, the compute resources available to the managed domain is increased. Monitor the performance of your applications and plan for the required resources.
+
+If your business or application demands change and you need additional compute power for your Azure AD DS managed domain, you can switch to a different SKU.
+
+### Backup frequency
+
+The backup frequency determines how often a snapshot of the managed domain is taken. Backups are an automated process managed by the Azure platform. In the event of an issue with your managed domain, Azure support can assist you in restoring from backup. As synchronization only occurs one way *from* Azure AD, any issues in an Azure AD DS managed domain won't impact Azure AD or on-premises AD DS environments and functionality.
+
+As the SKU level increases, the frequency of those backup snapshots increases. Review your business requirements and recovery point objective (RPO) to determine the required backup frequency for your managed domain. If your business or application requirements change and you need more frequent backups, you can switch to a different SKU.
+
+### Outbound forests
+
+The previous section detailed one-way outbound forest trusts from an Azure AD DS managed domain to an on-premises AD DS environment (currently in preview). The SKU determines the maximum number of forest trusts you can create for an Azure AD DS managed domain. Review your business and application requirements to determine how many trusts you actually need, and pick the appropriate Azure AD DS SKU. Again, if your business requirements change and you need to create additional forest trusts, you can switch to a different SKU.
+
 ## Next steps
 
 To get started, [create an Azure AD DS managed domain][create-instance].
@@ -84,3 +114,6 @@ To get started, [create an Azure AD DS managed domain][create-instance].
 [tutorial-create-instance-advanced]: tutorial-create-instance-advanced.md
 [concepts-forest]: concepts-resource-forest.md
 [concepts-trust]: concepts-forest-trust.md
+
+<!-- EXTERNAL LINKS -->
+[pricing]: https://azure.microsoft.com/pricing/details/active-directory-ds/

articles/active-directory-domain-services/change-sku.md

@@ -0,0 +1,72 @@
+---
+title: Change the SKU for an Azure AD Domain Services | Microsoft Docs
+description: Learn how to the SKU tier for an Azure AD Domain Services managed domain if your business requirements change
+services: active-directory-ds
+author: iainfoulds
+manager: daveba
+
+ms.service: active-directory
+ms.subservice: domain-services
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 01/31/2020
+ms.author: iainfou
+
+#Customer intent: As an identity administrator, I want to change the SKU for my Azure AD Domain Services managed domain to use different features as my business requirements change.
+---
+
+# Change the SKU for an existing Azure AD Domain Services managed domain
+
+In Azure Active Directory Domain Services (Azure AD DS), the available performance and features are based on the SKU type. These feature differences include the backup frequency or maximum number of one-way outbound forest trusts (currently in preview). You select a SKU when you create the managed domain, and you can switch SKUs as your business needs change after the managed domain has been deployed. Changes in business requirements could include the need for more frequent backups or to create additional forest trusts. For more information on the limits and pricing of the different SKUs, see [Azure AD DS SKU concepts][concepts-sku] and [Azure AD DS pricing][pricing] pages.
+
+This article shows you how to change the SKU for an existing Azure AD DS managed domain using the Azure portal.
+
+## Before you begin
+
+To complete this article, you need the following resources and privileges:
+
+* An active Azure subscription.
+    * If you don’t have an Azure subscription, [create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
+    * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
+* An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
+    * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
+
+## SKU change limitations
+
+There are some limitations for the SKU change operation if you use a resource forest (currently in preview) and have created one-way outbound forest trusts from Azure AD DS to an on-premises AD DS environment. The *Premium* and *Enterprise* SKUs define a limit on the number of trusts you can create. You can't change to a SKU with a lower maximum limit than you currently have configured.
+
+For example, if you have created two forest trusts on the *Premium* SKU, you can't change down to the *Standard* SKU. The *Standard* SKU doesn't support forest trusts. Or, if you have created seven trusts on the *Premium* SKU, you can't change down to the *Enterprise* SKU. The *Enterprise* SKU supports a maximum of five trusts.
+
+For more information on these limits, see [Azure AD DS SKU features and limits][concepts-sku].
+
+## Select a new SKU
+
+To change the SKU for an Azure AD DS managed domain using the Azure portal, complete the following steps:
+
+1. At the top of the Azure portal, search for and select **Azure AD Domain Services**. Choose your managed domain from the list, such as *aadds.contoso.com*.
+1. In the menu on the left-hand side of the Azure AD DS page, select **Settings > SKU**.
+
+    ![Select the SKU menu option for your Azure AD DS managed domain in the Azure portal](media/change-sku/overview-change-sku.png)
+
+1. From the drop-down menu, select the SKU you wish for your Azure AD DS managed domain. If you have a resource forest, you can't select *Standard* SKU as forest trusts are only available on the *Enterprise* SKU or higher.
+
+    Choose the SKU you want from the drop-down menu, then select **Save**.
+
+    ![Choose the required SKU from the drop-down menu in the Azure portal](media/change-sku/change-sku-selection.png)
+
+It can take a minute or two to change the SKU type.
+
+## Next steps
+
+If you have a resource forest and want to create additional trusts after the SKU change, see [Create an outbound forest trust to an on-premises domain in Azure AD DS (preview)][create-trust].
+
+<!-- INTERNAL LINKS -->
+[create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
+[associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
+[create-azure-ad-ds-instance]: tutorial-create-instance.md
+[concepts-sku]: administration-concepts.md#azure-ad-ds-skus
+[create-trust]: tutorial-create-forest-trust.md
+
+<!-- EXTERNAL LINKS -->
+[pricing]: https://azure.microsoft.com/pricing/details/active-directory-ds/

articles/active-directory-domain-services/media/change-sku/change-sku-selection.png

@@ -43,7 +43,7 @@ To complete this tutorial, you need the following resources and privileges:
     * If needed, [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance-advanced].
 
     > [!IMPORTANT]
-    > Make sure that you create an Azure AD DS managed domain using a *resource* forest. The default option creates a *user* forest. Only resource forests can create trusts to on-prem AD DS environments.
+    > Make sure that you create an Azure AD DS managed domain using a *resource* forest. The default option creates a *user* forest. Only resource forests can create trusts to on-prem AD DS environments. You also need to use a minimum of *Enterprise* SKU for your managed domain. If needed, [change the SKU for an Azure AD DS managed domain][howto-change-sku].
 
 ## Sign in to the Azure portal
 
@@ -218,3 +218,4 @@ For more conceptual information about forest types in Azure AD DS, see [What are
 [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
 [associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
 [create-azure-ad-ds-instance-advanced]: tutorial-create-instance-advanced.md
+[howto-change-sku]: change-sku.md

articles/active-directory-domain-services/media/change-sku/overview-change-sku.png

@@ -92,6 +92,9 @@ Complete the fields in the *Basics* window of the Azure portal to create an Azur
 
     There's nothing for you to configure for Azure AD DS to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]
 
+1. The **SKU** determines the performance, backup frequency, and maximum number of forest trusts you can create. You can change the SKU after the managed domain has been created if your business demands or requirements change. For more information, see [Azure AD DS SKU concepts][concepts-sku].
+
+    For this tutorial, select the *Standard* SKU.
 1. A *forest* is a logical construct used by Active Directory Domain Services to group one or more domains. By default, an Azure AD DS managed domain is created as a *User* forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. A *Resource* forest only synchronizes users and groups created directly in Azure AD. Resource forests are currently in preview. For more information on *Resource* forests, including why you may use one and how to create forest trusts with on-premises AD DS domains, see [Azure AD DS resource forests overview][resource-forests].
 
     For this tutorial, choose to create a *User* forest.
@@ -246,5 +249,6 @@ To see this managed domain in action, create and join a virtual machine to the d
 [password-hash-sync-process]: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services
 [resource-forests]: concepts-resource-forest.md
 [availability-zones]: ../availability-zones/az-overview.md
+[concepts-sku]: administration-concepts.md#azure-ad-ds-skus
 
 <!-- EXTERNAL LINKS -->

articles/active-directory-domain-services/media/tutorial-create-instance-advanced/basics-window.png

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/19/2019
+ms.date: 01/15/2020
 ms.author: iainfou
 
 #Customer intent: As an identity administrator, I want to create an Azure Active Directory Domain Services instance so that I can synchronize identity information with my Azure Active Directory tenant and provide Domain Services connectivity to virtual machines and applications in Azure.
@@ -91,6 +91,9 @@ Complete the fields in the *Basics* window of the Azure portal to create an Azur
 
     There's nothing for you to configure for Azure AD DS to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]
 
+1. The **SKU** determines the performance, backup frequency, and maximum number of forest trusts you can create. You can change the SKU after the managed domain has been created if your business demands or requirements change. For more information, see [Azure AD DS SKU concepts][concepts-sku].
+
+    For this tutorial, select the *Standard* SKU.
 1. A *forest* is a logical construct used by Active Directory Domain Services to group one or more domains. By default, an Azure AD DS managed domain is created as a *User* forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. A *Resource* forest only synchronizes users and groups created directly in Azure AD. Resource forests are currently in preview. For more information on *Resource* forests, including why you may use one and how to create forest trusts with on-premises AD DS domains, see [Azure AD DS resource forests overview][resource-forests].
 
     For this tutorial, choose to create a *User* forest.
@@ -198,6 +201,7 @@ Before you domain-join VMs and deploy applications that use the Azure AD DS mana
 [skus]: overview.md
 [resource-forests]: concepts-resource-forest.md
 [availability-zones]: ../availability-zones/az-overview.md
+[concepts-sku]: administration-concepts.md#azure-ad-ds-skus
 
 <!-- EXTERNAL LINKS -->
 [naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix