Merge pull request #111769 from MicrosoftDocs/master

Merge Master to Live, 4 AM

Author: PMEds28

articles/active-directory-domain-services/manage-dns.md

@@ -1,6 +1,6 @@
 ---
 title: Manage DNS for Azure AD Domain Services | Microsoft Docs
-description: Learn how to install the DNS Server Tools to manage DNS for an Azure Active Directory Domain Services managed domain.
+description: Learn how to install the DNS Server Tools to manage DNS and create conditional forwarders for an Azure Active Directory Domain Services managed domain.
 author: iainfoulds
 manager: daveba
 
@@ -9,21 +9,19 @@ ms.service: active-directory
 ms.subservice: domain-services
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/31/2019
+ms.date: 04/16/2020
 ms.author: iainfou
 
 ---
-# Administer DNS in an Azure AD Domain Services managed domain
+# Administer DNS and create conditional forwarders in an Azure AD Domain Services managed domain
 
 In Azure Active Directory Domain Services (Azure AD DS), a key component is DNS (Domain Name Resolution). Azure AD DS includes a DNS server that provides name resolution for the managed domain. This DNS server includes built-in DNS records and updates for the key components that allow the service to run.
 
 As you run your own applications and services, you may need to create DNS records for machines that aren't joined to the domain, configure virtual IP addresses for load balancers, or set up external DNS forwarders. Users who belong to the *AAD DC Administrators* group are granted DNS administration privileges on the Azure AD DS managed domain and can create and edit custom DNS records.
 
-In a hybrid environment, DNS zones and records configured in an on-premises AD DS environment aren't synchronized to Azure AD DS. To define and use your own DNS entries, create records in the Azure AD DS DNS server or use conditional forwarders that point to existing DNS servers in your environment.
+In a hybrid environment, DNS zones and records configured in other DNS namespaces, such as an on-premises AD DS environment, aren't synchronized to Azure AD DS. To resolve named resources in other DNS namespaces, create and use conditional forwarders that point to existing DNS servers in your environment.
 
-This article shows you how to install the DNS Server tools then use the DNS console to manage records in Azure AD DS.
-
-[!INCLUDE [active-directory-ds-prerequisites.md](../../includes/active-directory-ds-prerequisites.md)]
+This article shows you how to install the DNS Server tools then use the DNS console to manage records and create conditional forwarders in Azure AD DS.
 
 ## Before you begin
 
@@ -35,6 +33,8 @@ To complete this article, you need the following resources and privileges:
     * If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, complete the tutorial to [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
+* Connectivity from your Azure AD DS virtual network to where your other DNS namespaces are hosted.
+    * This connectivity can be provided with an [Azure ExpressRoute][expressroute] or [Azure VPN Gateway][vpn-gateway] connection.
 * A Windows Server management VM that is joined to the Azure AD DS managed domain.
     * If needed, complete the tutorial to [create a Windows Server VM and join it to a managed domain][create-join-windows-vm].
 * A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
@@ -52,7 +52,7 @@ To create and modify DNS records in Azure AD DS, you need to install the DNS Ser
 1. On the **Server Roles** page, click **Next**.
 1. On the **Features** page, expand the **Remote Server Administration Tools** node, then expand the **Role Administration Tools** node. Select **DNS Server Tools** feature from the list of role administration tools.
 
-    ![Choose to install the DNS Server Tools from the list of available role administration tools](./media/active-directory-domain-services-admin-guide/install-rsat-server-manager-add-roles-dns-tools.png)
+    ![Choose to install the DNS Server Tools from the list of available role administration tools](./media/manage-dns/install-dns-tools.png)
 
 1. On the **Confirmation** page, select **Install**. It may take a minute or two to install the Group Policy Management tools.
 1. When feature installation is complete, select **Close** to exit the **Add Roles and Features** wizard.
@@ -67,15 +67,40 @@ With the DNS Server tools installed, you can administer DNS records on the Azure
 1. From the Start screen, select **Administrative Tools**. A list of available management tools is shown, including **DNS** installed in the previous section. Select **DNS** to launch the DNS Management console.
 1. In the **Connect to DNS Server** dialog, select **The following computer**, then enter the DNS domain name of the managed domain, such as *aaddscontoso.com*:
 
-    ![Connect to the Azure AD DS managed domain in the DNS console](./media/active-directory-domain-services-admin-guide/dns-console-connect-to-domain.png)
+    ![Connect to the Azure AD DS managed domain in the DNS console](./media/manage-dns/connect-dns-server.png)
 
 1. The DNS Console connects to the specified Azure AD DS managed domain. Expand the **Forward Lookup Zones** or **Reverse Lookup Zones** to create your required DNS entries or edit existing records as needed.
 
-    ![DNS Console - administer domain](./media/active-directory-domain-services-admin-guide/dns-console-managed-domain.png)
+    ![DNS Console - administer domain](./media/manage-dns/dns-manager.png)
 
 > [!WARNING]
 > When you manage records using the DNS Server tools, make sure that you don't delete or modify the built-in DNS records that are used by Azure AD DS. Built-in DNS records include domain DNS records, name server records, and other records used for DC location. If you modify these records, domain services are disrupted on the virtual network.
 
+## Create conditional forwarders
+
+An Azure AD DS DNS zone should only contain the zone and records for the managed domain itself. Don't create additional zones in Azure AD DS to resolve named resources in other DNS namespaces. Instead, use conditional forwarders in the Azure AD DS managed domain to tell the DNS server where to go in order to resolve addresses for those resources.
+
+A conditional forwarder is a configuration option in a DNS server that lets you define a DNS domain, such as *contoso.com*, to forward queries to. Instead of the local DNS server trying to resolve queries for records in that domain, DNS queries are forwarded to the configured DNS for that domain. This configuration makes sure that the correct DNS records are returned, as you don't create a local a DNS zone with duplicate records in the Azure AD DS managed domain to reflect those resources.
+
+To create a conditional forwarder in your Azure AD DS managed domain, complete the following steps:
+
+1. Select your Azure AD DS DNS zone, such as *aaddscontoso.com*.vb
+1. Select **Conditional Forwarders**, then right-select and choose **New Conditional Forwarder...**
+1. Enter your other **DNS Domain**, such as *contoso.com*, then enter the IP addresses of the DNS servers for that namespace, as shown in the following example:
+
+    ![Add and configure a conditional forwarder for the DNS server](./media/manage-dns/create-conditional-forwarder.png)
+
+1. Check the box for **Store this conditional forwarder in Active Directory, and replicate it as follows**, then select the option for *All DNS servers in this domain*, as shown in the following example:
+
+    ![DNS Console - administer domain](./media/manage-dns/store-in-domain.png)
+
+    > [!IMPORTANT]
+    > If the conditional forwarder is stored in the *forest* instead of the *domain*, the conditional forwarder fails.
+
+1. To create the conditional forwarder, select **OK**.
+
+Name resolution of the resources in other namespaces from VMs connected to the Azure AD DS managed domain should now resolve correctly. Queries for the DNS domain configured in the conditional forwarder are passed to the relevant DNS servers.
+
 ## Next steps
 
 For more information about managing DNS, see the [DNS tools article on Technet](https://technet.microsoft.com/library/cc753579.aspx).
@@ -84,6 +109,8 @@ For more information about managing DNS, see the [DNS tools article on Technet](
 [create-azure-ad-tenant]: ../active-directory/fundamentals/sign-up-organization.md
 [associate-azure-ad-tenant]: ../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md
 [create-azure-ad-ds-instance]: tutorial-create-instance.md
+[expressroute]: ../expressroute/expressroute-introduction.md
+[vpn-gateway]: ../vpn-gateway/vpn-gateway-about-vpngateways.md
 [create-join-windows-vm]: join-windows-vm.md
 [tutorial-create-management-vm]: tutorial-create-management-vm.md
 [connect-windows-server-vm]: join-windows-vm.md#connect-to-the-windows-server-vm

articles/active-directory-domain-services/media/manage-dns/connect-dns-server.png

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: tutorial
-ms.date: 2/11/2020
+ms.date: 04/13/2020
 
 ms.author: mimart
 author: msmimart
@@ -19,25 +19,16 @@ ms.reviewer: mal
 ms.collection: M365-identity-device-management
 ---
 
-# Tutorial: Bulk invite Azure AD B2B collaboration users (preview)
-
-|     |
-| --- |
-| This article describes a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).|
-|     |
-
-> [!NOTE]
-> As of 12/22/2019, the Bulk invite users (Preview) feature has been temporarily disabled.
-> There is currently no known date for when this feature will be re-enabled in the Azure portal. To invite guest users in bulk using PowerShell, see the [B2B bulk invite tutorial](bulk-invite-powershell.md) or the [B2B code and PowerShell samples](code-samples.md).
+# Tutorial: Bulk invite Azure AD B2B collaboration users
 
 If you use Azure Active Directory (Azure AD) B2B collaboration to work with external partners, you can invite multiple guest users to your organization at the same time. In this tutorial, you learn how to use the Azure portal to send bulk invitations to external users. Specifically, you do the following:
 
 > [!div class="checklist"]
-> * Use **Bulk invite users (Preview)** to prepare a comma-separated value (.csv) file with the user information and invitation preferences
+> * Use **Bulk invite users** to prepare a comma-separated value (.csv) file with the user information and invitation preferences
 > * Upload the .csv file to Azure AD
 > * Verify the users were added to the directory
 
-If you don’t have Azure Active Directory, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. 
+If you don’t have Azure Active Directory, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
 ## Prerequisites
 
@@ -48,7 +39,7 @@ You need two or more test email accounts that you can send the invitations to. T
 1. Sign in to the Azure portal with an account that is a User administrator in the organization.
 2. In the navigation pane, select **Azure Active Directory**.
 3. Under **Manage**, select **Users** > **Bulk invite**.
-4. On the **Bulk invite users (Preview)** page, select **Download** to get a valid .csv file with invitation properties.
+4. On the **Bulk invite users** page, select **Download** to get a valid .csv file with invitation properties.
 
     ![Bulk invite download button](media/tutorial-bulk-invite/bulk-invite-button.png)
 
@@ -64,10 +55,10 @@ You need two or more test email accounts that you can send the invitations to. T
    > Don't use commas in the **Customized invitation message** because they'll prevent the message from being parsed successfully.
 
 6. Save the file.
-7. On the **Bulk invite users (Preview)** page, under **Upload your csv file**, browse to the file. When you select the file, validation of the .csv file starts. 
+7. On the **Bulk invite users** page, under **Upload your csv file**, browse to the file. When you select the file, validation of the .csv file starts. 
 8. When the file contents are validated, you’ll see **File uploaded successfully**. If there are errors, you must fix them before you can submit the job.
 9. When your file passes validation, select **Submit** to start the Azure bulk operation that adds the invitations. 
-10. To view the job status, select **Click here to view the status of each operation**. Or, you can select **Bulk operation results (Preview)** in the **Activity** section. For details about each line item within the the bulk operation, select the values under the **# Success**, **# Failure**, or **Total Requests** columns. If failures occurred, the reasons for failure will be listed.
+10. To view the job status, select **Click here to view the status of each operation**. Or, you can select **Bulk operation results** in the **Activity** section. For details about each line item within the the bulk operation, select the values under the **# Success**, **# Failure**, or **Total Requests** columns. If failures occurred, the reasons for failure will be listed.
 
     ![Example of bulk operation results](media/tutorial-bulk-invite/bulk-operation-results.png)
 

articles/active-directory-domain-services/media/manage-dns/create-conditional-forwarder.png

@@ -76,7 +76,7 @@ Widening the rollout to larger groups of users should be carried out by increasi
 | -| -|
 | [ADFS to Password Hash Sync](../hybrid/plan-migrate-adfs-password-hash-sync.md)| With Password Hash Synchronization, hashes of user passwords are synchronized from on-premises Active Directory to Azure AD, letting Azure AD authenticate users with no interaction with the on-premises Active Directory |
 | [ADFS to Pass Through Authentication](../hybrid/plan-migrate-adfs-pass-through-authentication.md)| Azure AD Pass-through Authentication helps your users sign in to both on-premises and cloud-based applications using the same passwords. This feature provides users with a better experience - one less password to remember - and reduces IT helpdesk costs because users are less likely to forget how to sign in. When people sign in using Azure AD, this feature validates users' passwords directly against your on-premises Active Directory. |
-| [Azure AD Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan.md) |Employees today want to be productive at any place, at any time, and from any device. They need to access SaaS apps in the cloud and corporate apps on-premises. Azure AD Application proxy enables this robust access without costly and complex virtual private networks (VPNs) or demilitarized zones (DMZs). |
+| [Azure AD Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-deployment-plan) |Employees today want to be productive at any place, at any time, and from any device. They need to access SaaS apps in the cloud and corporate apps on-premises. Azure AD Application proxy enables this robust access without costly and complex virtual private networks (VPNs) or demilitarized zones (DMZs). |
 | [Seamless SSO](../hybrid/how-to-connect-sso-quick-start.md)| Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. With this feature, users won't need to type in their passwords to sign in to Azure AD and usually won't need to enter their usernames. This feature provides authorized users with easy access to your cloud-based applications without needing any additional on-premises components. |
 
 ## Deploy user provisioning