Resolved conflict

Author: rolyon

.openpublishing.publish.config.json

@@ -377,6 +377,11 @@
       "url": "https://github.com/microsoft/immersive-reader-sdk",
       "branch": "master",
       "branch_mapping": {}
+    },
+    {
+      "path_to_root": "azure-cosmosdb-java-v2",
+      "url": "https://github.com/Azure/azure-cosmosdb-java",
+      "branch": "master"
     }
   ],
   "branch_target_mapping": {

.openpublishing.redirection.json

@@ -8,7 +8,7 @@ manager: celestedg
 ms.service: active-directory
 ms.workload: identity
 ms.topic: reference
-ms.date: 09/10/2018
+ms.date: 10/28/2019
 ms.author: marsma
 ms.subservice: B2C
 ---
@@ -27,6 +27,8 @@ The following diagram shows the relationship between the elements:
 
 The **Predicate** element defines a basic validation to check the value of a claim type and returns `true` or `false`. The validation is done by using a specified **Method** element and a set of **Parameter** elements relevant to the method. For example, a predicate can check whether the length of a string claim value is within the range of minimum and maximum parameters specified, or whether a string claim value contains a character set. The **UserHelpText** element provides an error message for users if the check fails. The value of **UserHelpText** element can be localized using [language customization](localization.md).
 
+The **Predicates** element must appear directly following the **ClaimsSchema** element within the [BuildingBlocks](buildingblocks.md) element.
+
 The **Predicates** element contains the following element:
 
 | Element | Occurrences | Description |
@@ -108,6 +110,8 @@ The following example shows a `IsDateRange` method with the parameters `Minimum`
 
 While the predicates define the validation to check against a claim type, the **PredicateValidations** group a set of predicates to form a user input validation that can be applied to a claim type. Each **PredicateValidation** element contains a set of **PredicateGroup** elements that contain a set of **PredicateReference** elements that points to a **Predicate**. To pass the validation, the value of the claim should pass all of the tests of any predicate under all of the **PredicateGroup** with their set of **PredicateReference** elements.
 
+The **PredicateValidations** element must appear directly following the **Predicates** element within the [BuildingBlocks](buildingblocks.md) element.
+
 ```XML
 <PredicateValidations>
   <PredicateValidation Id="">
@@ -190,7 +194,7 @@ With **Predicates** and **PredicateValidationsInput** you can control the comple
 - **Lowercase** using the `IncludesCharacters` method, validates that the password contains a lowercase letter.
 - **Uppercase** using the `IncludesCharacters` method, validates that the password contains an uppercase letter.
 - **Number** using the `IncludesCharacters` method, validates that the password contains a digit.
-- **Symbol** using the `IncludesCharacters` method, validates that the password contains one of following symbols `@#$%^&*\-_+=[]{}|\:',?/~"();!`
+- **Symbol** using the `IncludesCharacters` method, validates that the password contains one of several symbol characters.
 - **PIN** using the `MatchesRegex` method, validates that the password contains numbers only.
 - **AllowedAADCharacters** using the `MatchesRegex` method, validates that the password only invalid character was provided.
 - **DisallowedWhitespace** using the `MatchesRegex` method, validates that the password doesn't begin or end with a whitespace character.
@@ -229,7 +233,7 @@ With **Predicates** and **PredicateValidationsInput** you can control the comple
   <Predicate Id="Symbol" Method="IncludesCharacters">
     <UserHelpText>a symbol</UserHelpText>
     <Parameters>
-      <Parameter Id="CharacterSet">@#$%^&amp;*\-_+=[]{}|\:',?/`~"();!</Parameter>
+      <Parameter Id="CharacterSet">@#$%^&amp;*\-_+=[]{}|\\:',.?/`~"();!</Parameter>
     </Parameters>
   </Predicate>
 

articles/active-directory-b2c/predicates.md

@@ -94,7 +94,7 @@ On an Azure AD-joined or registered device, user authentication happens using mo
 | Representation in the directory | Device objects in the Azure AD directory            | Computer objects in the Azure AD DS managed domain                        |
 | Authentication                  | OAuth / OpenID Connect based protocols              | Kerberos and NTLM protocols                                               |
 | Management                      | Mobile Device Management (MDM) software like Intune | Group Policy                                                              |
-| Networking                      | Works over the internet                             | Requires machines to be on the same virtual network as the managed domain |
+| Networking                      | Works over the internet                             | Must be connected to, or peered with, the virtual network where the managed domain is deployed |
 | Great for...                    | End-user mobile or desktop devices                  | Server VMs deployed in Azure                                              |
 
 ## Next steps
@@ -107,4 +107,4 @@ To get started with using Azure AD DS, [create an Azure AD DS managed domain usi
 [custom-ou]: create-ou.md
 [manage-gpos]: manage-group-policy.md
 [tutorial-ldaps]: tutorial-configure-ldaps.md
-[tutorial-create]: tutorial-create-instance.md
+[tutorial-create]: tutorial-create-instance.md

articles/active-directory-domain-services/compare-identity-solutions.md

@@ -43,7 +43,7 @@ Classic virtual networks aren't supported for new deployments. Existing managed
 Yes. Azure AD Domain Services can be enabled in an Azure Resource Manager virtual network. Classic Azure virtual networks are no longer supported for when you create a new managed domain.
 
 ### Can I migrate my existing managed domain from a Classic virtual network to a Resource Manager virtual network?
-Yes, this feature is in preview. For more information, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager (preview)][migrate-from-classic-vnet.md]
+Yes, this feature is in preview. For more information, see [Migrate Azure AD Domain Services from the Classic virtual network model to Resource Manager (preview)](migrate-from-classic-vnet.md).
 
 ### Can I enable Azure AD Domain Services in an Azure CSP (Cloud Solution Provider) subscription?
 Yes. For more information, see [how to enable Azure AD Domain Services in Azure CSP subscriptions](csp.md).

articles/active-directory-domain-services/faqs.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 08/09/2019
+ms.date: 10/23/2019
 ms.author: iainfou
 
 ---
@@ -87,8 +87,8 @@ An Azure AD DS managed domain creates some networking resources during deploymen
 | Azure resource                          | Description |
 |:----------------------------------------|:---|
 | Network interface card                  | Azure AD DS hosts the managed domain on two domain controllers (DCs) that run on Windows Server as Azure VMs. Each VM has a virtual network interface that connects to your virtual network subnet. |
-| Dynamic basic public IP address         | Azure AD DS communicates with the synchronization and management service using a basic SKU public IP address. For more information about public IP addresses, see [IP address types and allocation methods in Azure](../virtual-network/virtual-network-ip-addresses-overview-arm.md). |
-| Azure basic load balancer               | Azure AD DS uses a basic SKU load balancer for network address translation (NAT) and load balancing (when used with secure LDAP). For more information about Azure load balancers, see [What is Azure Load Balancer?](../load-balancer/load-balancer-overview.md) |
+| Dynamic standard public IP address         | Azure AD DS communicates with the synchronization and management service using a standard SKU public IP address. For more information about public IP addresses, see [IP address types and allocation methods in Azure](../virtual-network/virtual-network-ip-addresses-overview-arm.md). |
+| Azure standard load balancer               | Azure AD DS uses a standard SKU load balancer for network address translation (NAT) and load balancing (when used with secure LDAP). For more information about Azure load balancers, see [What is Azure Load Balancer?](../load-balancer/load-balancer-overview.md) |
 | Network address translation (NAT) rules | Azure AD DS creates and uses three NAT rules on the load balancer - one rule for secure HTTP traffic, and two rules for secure PowerShell remoting. |
 | Load balancer rules                     | When an Azure AD DS managed domain is configured for secure LDAP on TCP port 636, three rules are created and used on a load balancer to distribute the traffic. |
 

articles/active-directory-domain-services/network-considerations.md

@@ -126,6 +126,12 @@ $Vnet= New-AzVirtualNetwork `
 
 Now let's create an Azure AD DS managed domain. Set your Azure subscription ID, and then provide a name for the managed domain, such as *contoso.com*. You can get your subscription ID using the [Get-AzSubscription][Get-AzSubscription] cmdlet.
 
+If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for additional redundancy.
+
+Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
+
+There's nothing for you to configure for Azure AD DS to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones].
+
 ```powershell
 $AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
 $ManagedDomainName = "contoso.com"
@@ -144,6 +150,8 @@ When the Azure portal shows that the Azure AD DS managed domain has finished pro
 
 * Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
     * To configure DNS, select your Azure AD DS managed domain in the portal. On the **Overview** window, you are prompted to automatically configure these DNS settings.
+* If you created an Azure AD DS managed domain in a region that supports Availability Zones, create a network security group to restrict traffic in the virtual network for the Azure AD DS managed domain. An Azure standard load balancer is created that requires these rules to be place. This network security group secures Azure AD DS and is required for the managed domain to work correctly.
+    * To create the network security group and required rules, select your Azure AD DS managed domain in the portal. On the **Overview** window, you are prompted to automatically create and configure the network security group.
 * [Enable password synchronization to Azure AD Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.
 
 ## Complete PowerShell script
@@ -229,6 +237,8 @@ When the Azure portal shows that the Azure AD DS managed domain has finished pro
 
 * Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
     * To configure DNS, select your Azure AD DS managed domain in the portal. On the **Overview** window, you are prompted to automatically configure these DNS settings.
+* If you created an Azure AD DS managed domain in a region that supports Availability Zones, create a network security group to restrict traffic in the virtual network for the Azure AD DS managed domain. An Azure standard load balancer is created that requires these rules to be place. This network security group secures Azure AD DS and is required for the managed domain to work correctly.
+    * To create the network security group and required rules, select your Azure AD DS managed domain in the portal. On the **Overview** window, you are prompted to automatically create and configure the network security group.
 * [Enable password synchronization to Azure AD Domain Services](tutorial-create-instance.md#enable-user-accounts-for-azure-ad-ds) so end users can sign in to the managed domain using their corporate credentials.
 
 ## Next steps
@@ -254,3 +264,4 @@ To see the Azure AD DS managed domain in action, you can [domain-join a Windows
 [New-AzVirtualNetwork]: /powershell/module/Az.Network/New-AzVirtualNetwork
 [Get-AzSubscription]: /powershell/module/Az.Accounts/Get-AzSubscription
 [cloud-shell]: /azure/cloud-shell/cloud-shell-windows-users
+[availability-zones]: ../availability-zones/az-overview.md

articles/active-directory-domain-services/powershell-create-instance.md

@@ -151,7 +151,7 @@ To see this managed domain in action, create and join a virtual machine to the d
 > [!div class="nextstepaction"]
 > [Join a Windows Server virtual machine to your managed domain](join-windows-vm.md)
 
-<!-- INTERNAL LINKS -->
+<!-- INTERNAL LINKS --> 
 [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
 [associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
 [create-azure-ad-ds-instance]: tutorial-create-instance.md

articles/active-directory-domain-services/tutorial-configure-networking.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 10/18/2019
+ms.date: 10/23/2019
 ms.author: iainfou
 
 #Customer intent: As an identity administrator, I want to create an Azure Active Directory Domain Services instance and define advanced configuration options so that I can synchronize identity information with my Azure Active Directory tenant and provide Domain Services connectivity to virtual machines and applications in Azure.
@@ -86,7 +86,11 @@ The following DNS name restrictions also apply:
 Complete the fields in the *Basics* window of the Azure portal to create an Azure AD DS instance:
 
 1. Enter a **DNS domain name** for your managed domain, taking into consideration the previous points.
-1. Choose the Azure **Location** in which the managed domain should be created.
+1. Choose the Azure **Location** in which the managed domain should be created. If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for additional redundancy.
+
+    Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
+
+    There's nothing for you to configure for Azure AD DS to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]
 
     ![Configure basic settings for an Azure AD Domain Services instance](./media/tutorial-create-instance-advanced/basics-window.png)
 
@@ -165,7 +169,7 @@ On the **Summary** page of the wizard, review the configuration settings for the
 
     ![Domain Services status once successfully provisioned](./media/tutorial-create-instance-advanced/successfully-provisioned.png)
 
-During the provisioning process, Azure AD DS creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in your directory. These Enterprise Applications are needed to service your managed domain. It's imperative that these applications are not deleted at any time.
+The managed domain is associated with your Azure AD tenant. During the provisioning process, Azure AD DS creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in the Azure AD tenant. These Enterprise Applications are needed to service your managed domain. Don't delete these applications.
 
 ## Update DNS settings for the Azure virtual network
 
@@ -236,6 +240,7 @@ To see this managed domain in action, create and join a virtual machine to the d
 [on-prem-sync]: tutorial-configure-password-hash-sync.md
 [configure-sspr]: ../active-directory/authentication/quickstart-sspr.md
 [password-hash-sync-process]: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services
+[availability-zones]: ../availability-zones/az-overview.md
 
 <!-- EXTERNAL LINKS -->
 [naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix

articles/active-directory-domain-services/tutorial-create-instance-advanced.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 10/18/2019
+ms.date: 10/23/2019
 ms.author: iainfou
 
 #Customer intent: As an identity administrator, I want to create an Azure Active Directory Domain Services instance so that I can synchronize identity information with my Azure Active Directory tenant and provide Domain Services connectivity to virtual machines and applications in Azure.
@@ -85,7 +85,11 @@ The following DNS name restrictions also apply:
 Complete the fields in the *Basics* window of the Azure portal to create an Azure AD DS instance:
 
 1. Enter a **DNS domain name** for your managed domain, taking into consideration the previous points.
-1. Choose the Azure **Location** in which the managed domain should be created.
+1. Choose the Azure **Location** in which the managed domain should be created. If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for additional redundancy.
+
+    Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions.
+
+    There's nothing for you to configure for Azure AD DS to be distributed across zones. The Azure platform automatically handles the zone distribution of resources. For more information and to see region availability, see [What are Availability Zones in Azure?][availability-zones]
 
     ![Configure basic settings for an Azure AD Domain Services instance](./media/tutorial-create-instance/basics-window.png)
 
@@ -115,7 +119,7 @@ On the **Summary** page of the wizard, review the configuration settings for the
 
     ![Domain Services status once successfully provisioned](./media/tutorial-create-instance/successfully-provisioned.png)
 
-We provision Azure AD Domain Services on the Azure Active Directory tenant and the Azure AD Domain Services resource for the service is created within the associated Azure subscription. During the provisioning process, Azure AD DS creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in your Azure Active directory instance where you have enabled the Azure AD domain services. These Enterprise Applications are needed to service your managed domain.  It's imperative that these applications are not deleted at any time.
+The managed domain is associated with your Azure AD tenant. During the provisioning process, Azure AD DS creates two Enterprise Applications named *Domain Controller Services* and *AzureActiveDirectoryDomainControllerServices* in the Azure AD tenant. These Enterprise Applications are needed to service your managed domain. Don't delete these applications.
 
 ## Update DNS settings for the Azure virtual network
 
@@ -186,6 +190,7 @@ Before you domain-join VMs and deploy applications that use the Azure AD DS mana
 [on-prem-sync]: tutorial-configure-password-hash-sync.md
 [configure-sspr]: ../active-directory/authentication/quickstart-sspr.md
 [password-hash-sync-process]: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services
+[availability-zones]: ../availability-zones/az-overview.md
 
 <!-- EXTERNAL LINKS -->
 [naming-prefix]: /windows-server/identity/ad-ds/plan/selecting-the-forest-root-domain#selecting-a-prefix