adding Thomas' updates

Author: mattbriggs

articles/azure-stack/azure-stack-extension-host-prepare.md

@@ -5,7 +5,7 @@ services: azure-stack
 keywords: 
 author: mattbriggs
 ms.author: mabrigg
-ms.date: 08/28/2018
+ms.date: 08/29/2018
 ms.topic: article
 ms.service: azure-stack
 ms.reviewer: thoroet
@@ -24,8 +24,8 @@ The table shows the new namespaces and the associated certificates:
 
 | Deployment Folder | Required certificate subject and subject alternative names (SAN) | Scope (per region) | SubDomain namespace |
 |-----------------------|------------------------------------------------------------------|-----------------------|------------------------------|
-| Admin extension host | *.adminhosting.<region>.<fqdn> (Wildcard SSL Certificates) | Admin extension host | adminhosting.<region>.<fqdn> |
-| Public extension host | *.hosting.<region>.<fqdn> (Wildcard SSL Certificates) | Public extension host | hosting.<region>.<fqdn> |
+| Admin extension host | *.adminhosting.\<region>.\<fqdn> (Wildcard SSL Certificates) | Admin extension host | adminhosting.\<region>.\<fqdn> |
+| Public extension host | *.hosting.\<region>.\<fqdn> (Wildcard SSL Certificates) | Public extension host | hosting.\<region>.\<fqdn> |
 
 The detailed certificate requirements can be found in the [Azure Stack public key infrastructure certificate requirements](azure-stack-pki-certs.md) article.
 
@@ -38,7 +38,7 @@ The Azure Stack Readiness Checker Tool provides the ability to create a certific
 
 ## Validate new certificates
 
-1. Open PowerShell with elevated permission on the hardware lifecycle host or the Privileged Access Workstation.
+1. Open PowerShell with elevated permission on the hardware lifecycle host or the Azure Stack management workstation.
 2. Run the following cmdlet to install the Azure Stack Readiness Checker tool.
     ```PowerShell  
     Install-Module -Name Microsoft.AzureStack.ReadinessChecker
@@ -48,22 +48,26 @@ The Azure Stack Readiness Checker Tool provides the ability to create a certific
     ```PowerShell  
     New-Item C:\Certificates -ItemType Directory
 
-    $directories = 'ACSBlob','ACSQueue','ACSTable','ADFS','Admin Portal','ARM Admin','ARM Public','Graph','KeyVault','KeyVaultInternal','Public Portal', 'Admin extension host', 'Public extension host'
+    $directories = 'ACSBlob','ACSQueue','ACSTable','Admin Portal','ARM Admin','ARM Public','KeyVault','KeyVaultInternal','Public Portal', 'Admin extension host', 'Public extension host'
 
     $destination = 'c:\certificates'
 
     $directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}
     ```
 
-4. Place your certificate(s) in the appropriate directories.
-5. Run the following cmdlets to start the certificate check:
+    > [!Note]  
+    > If you deploy with Azure Active Directory Federated Services (AD FS) the following directories must be added to **$directories** in the script: `ADFS`, `Graph`.
+
+4. Run the following cmdlets to start the certificate check:
 
     ```PowerShell  
     $pfxPassword = Read-Host -Prompt "Enter PFX Password" -AsSecureString 
 
     Start-AzsReadinessChecker -CertificatePath c:\certificates -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com -IdentitySystem AAD -ExtensionHostFeature $true
     ```
 
+5. Place your certificate(s) in the appropriate directories.
+
 6. Check the output and all certificates pass all tests.
 
 
@@ -74,35 +78,36 @@ Use a computer that can connect to the Azure Stack privileged endpoint for the n
 1. Use a computer that can connect to the Azure Stack privileged endpoint for the next steps. Make sure you access to the new certificate files from that computer.
 2. Open PowerShell ISE to execute the next script blocks
 3. Import the certificate for hosting endpoint. Adjust the script to match your environment.
-4. Import the certificate for hosting endpoint. Adjust the script to match your environment.
+
     ```PowerShell  
-    [Byte[]] $HostingCertContent = [Byte[]](Get-Content <File path of hosting certificate> -Encoding Byte)
+    $CertPassword = ConvertTo-SecureString "***" -AsPlainText -Force
+
+    $CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> -Message "Enter the cloud domain credentials to access the privileged endpoint."
+
+    [Byte[]] $AdminHostingCertContent = [Byte[]](Get-Content c:\certificate\myadminhostingcertificate.pfx -Encoding Byte)
 
     Invoke-Command -ComputeName <PrivilegedEndpoint computer name> `
     -Credential $CloudAdminCred `
     -ConfigurationName "PrivilegedEndpoint" `
-    -ArgumentList @($HostingCertContent, $CertPassword) `
+    -ArgumentList @($AdminHostingCertContent, $CertPassword) `
     -ScriptBlock {
-            param($HostingCertContent, $CertPassword)
-            Import-UserHostingServiceCert $HostingCertContent $certPassword
+            param($AdminHostingCertContent, $CertPassword)
+            Import-AdminHostingServiceCert $AdminHostingCertContent $certPassword
     }
     ```
+
 5. Import the certificate for the Admin hosting endpoint.
 
     ```PowerShell  
-    $CertPassword = ConvertTo-SecurString "***" -AsPlainText -Force
-
-    $CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> -Message "Enter the cloud domain credentials to access the privileged endpoint."
-
-    [Byte[]] $AdminHostingCertContent = [Byte[]](Get-Content <File path of Admin hosting certificate> -Encoding Byte)
+    [Byte[]] $HostingCertContent = [Byte[]](Get-Content c:\certificate\myadminhostingcertificate.pfx  -Encoding Byte)
 
     Invoke-Command -ComputeName <PrivilegedEndpoint computer name> `
     -Credential $CloudAdminCred `
     -ConfigurationName "PrivilegedEndpoint" `
-    -ArgumentList @($AdminHostingCertContent, $CertPassword) `
+    -ArgumentList @($HostingCertContent, $CertPassword) `
     -ScriptBlock {
-            param($AdminHostingCertContent, $CertPassword)
-            Import-AdminHostingServiceCert $AdminHostingCertContent $certPassword
+            param($HostingCertContent, $CertPassword)
+            Import-UserHostingServiceCert $HostingCertContent $certPassword
     }
     ```
 

articles/azure-stack/azure-stack-get-pki-certs.md

@@ -13,7 +13,7 @@ ms.workload: na
 pms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 05/18/2018
+ms.date: 08/29/2018
 ms.author: mabrigg
 ms.reviewer: ppacent
 ---

articles/azure-stack/azure-stack-integrate-endpoints.md

@@ -6,14 +6,15 @@ author: jeffgilb
 manager: femila
 ms.service: azure-stack
 ms.topic: article
-ms.date: 08/02/2018
+ms.date: 08/29/2018
 
 ms.author: jeffgilb
 ms.reviewer: wamota
 keywords:
 ---
 
 # Azure Stack datacenter integration - Publish endpoints
+
 Azure Stack sets up virtual IP addresses (VIPs) for its infrastructure roles. These VIPs are allocated from the public IP address pool. Each VIP is secured with an access control list (ACL) in the software-defined network layer. ACLs are also used across the physical switches (TORs and BMC) to further harden the solution. A DNS entry is created for each endpoint in the external DNS zone that specified at deployment time.
 
 

articles/azure-stack/azure-stack-pki-certs.md

@@ -13,7 +13,7 @@ ms.workload: na
 pms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 06/07/2018
+ms.date: 08/29/2018
 ms.author: mabrigg
 ms.reviewer: ppacent
 
@@ -73,6 +73,8 @@ For your deployment, the [region] and [externalfqdn] values must match the regio
 | ACSQueue | *.queue.&lt;region>.&lt;fqdn><br>(Wildcard SSL Certificate) | Queue Storage | queue.&lt;region>.&lt;fqdn> |
 | KeyVault | *.vault.&lt;region>.&lt;fqdn><br>(Wildcard SSL Certificate) | Key Vault | vault.&lt;region>.&lt;fqdn> |
 | KeyVaultInternal | *.adminvault.&lt;region>.&lt;fqdn><br>(Wildcard SSL Certificate) |  Internal Keyvault |  adminvault.&lt;region>.&lt;fqdn> |
+| Admin Extension Host | *.adminhosting.\<region>.\<fqdn> (Wildcard SSL Certificates) | Admin Extension Host | adminhosting.\<region>.\<fqdn> |
+| Public Extension Host | *.hosting.\<region>.\<fqdn> (Wildcard SSL Certificates) | Public Extension Host | hosting.\<region>.\<fqdn> |
 
 If you deploy Azure Stack using the Azure AD deployment mode, you only need to request the certificates listed in previous table. However, if you deploy Azure Stack using the AD FS deployment mode, you must also request the certificates described in the following table:
 

articles/azure-stack/azure-stack-validate-pki-certs.md

@@ -12,7 +12,7 @@ ms.workload: na
 pms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 05/24/2018
+ms.date: 08/29/2018
 ms.author: mabrigg
 ms.reviewer: ppacent
 ---
@@ -71,7 +71,7 @@ Use these steps to prepare and to validate the Azure Stack PKI certificates for
     ````PowerShell  
     New-Item C:\Certificates -ItemType Directory
     
-    $directories = 'ACSBlob','ACSQueue','ACSTable','ADFS','Admin Portal','ARM Admin','ARM Public','Graph','KeyVault','KeyVaultInternal','Public Portal', ,'Admin Extension Host','Public Extension Host'
+    $directories = 'ACSBlob','ACSQueue','ACSTable','ADFS','Admin Portal','ARM Admin','ARM Public','Graph','KeyVault','KeyVaultInternal','Public Portal','Admin Extension Host','Public Extension Host'
     
     $destination = 'c:\certificates'
     

articles/azure-stack/user/azure-stack-metrics-azure-data.md

@@ -27,7 +27,7 @@ For an introduction, overview, and how to get started with Azure Monitor, see th
 
 ![Azure Stack Monitor blade](./media/azure-stack-metrics-azure-data/azs-monitor.png)
 
-Azure Monitor is the platform service that provides a single source for monitoring Azure resources. With Azure Monitor, you can visualize, query, route, archive, and otherwise take action on the metrics and logs coming from resources in Azure. You can work with this data by using the Azure Stack admin portal, Monitor PowerShell Cmdlets, Cross-Platform CLI, or Azure Monitor REST APIs. For the specific connectivity supported by Azure Stack, see [How to consume monitoring data from Azure Stack](azure-stack-metrics-supported.md)
+Azure Monitor is the platform service that provides a single source for monitoring Azure resources. With Azure Monitor, you can visualize, query, route, archive, and otherwise take action on the metrics and logs coming from resources in Azure. You can work with this data by using the Azure Stack admin portal, Monitor PowerShell Cmdlets, Cross-Platform CLI, or Azure Monitor REST APIs. For the specific connectivity supported by Azure Stack, see [How to consume monitoring data from Azure Stack](azure-stack-metrics-monitor.md)
 
 > [!Note]  
 Metrics and diagnostic logs are not available for the Azure Stack Development Kit.