Merge branch 'master' of https://github.com/Microsoft/azure-docs-pr

Author: [email protected]

.openpublishing.publish.config.json

@@ -112,6 +112,11 @@
         "path_to_root": "samples-mediaservices-encoderstandard",
         "url": "https://github.com/Azure-Samples/media-services-dotnet-on-demand-encoding-with-media-encoder-standard",
         "branch":"master"
+    },
+    {
+        "path_to_root": "samples-durable-functions",
+        "url": "https://github.com/Azure/azure-functions-durable-extension",
+        "branch":"netcore20"
     }
 	]
 }

.openpublishing.redirection.json

@@ -6225,6 +6225,16 @@
             "redirect_url": "/azure/cognitive-services/video-indexer/video-indexer-get-started",
             "redirect_document_id": false
         },
+        {
+          "source_path": "articles/iot-suite/iot-solution-build-system.md",
+          "redirect_url": "https://github.com/Azure-Samples/MyDriving/blob/master/docs/iot-solution-build-system.md",
+          "redirect_document_id": false
+        },
+        {
+          "source_path": "articles/iot-suite/iot-solution-get-started.md",
+          "redirect_url": "https://github.com/Azure-Samples/MyDriving/blob/master/docs/iot-solution-get-started.md",
+          "redirect_document_id": false
+        },
         {
             "source_path": "articles/iot-hub/iot-hub-gateway-kit-c-sim-troubleshooting.md",
             "redirect_url": "/azure/iot-hub/iot-hub-gateway-kit-c-troubleshooting",
@@ -11285,6 +11295,16 @@
             "redirect_url": "/azure/container-service/kubernetes/container-service-tutorial-kubernetes-scale",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/container-service/kubernetes/container-service-security.md",
+            "redirect_url": "/azure/container-service/kubernetes/container-service-intro-kubernetes",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "articles/container-service/kubernetes/container-service-kubernetes-load-balancing.md",
+            "redirect_url": "/azure/container-service/kubernetes/container-service-intro-kubernetes",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/cosmos-db/request-units-per-minute.md",
             "redirect_url": "/azure/cosmos-db/request-units",
@@ -12892,7 +12912,7 @@
         },
         {
             "source_path": "articles/billing/billing-usage-rate-card-partner-solution-cloudyn.md", 
-             "redirect_url": "/azure/cost-management/overview.md", 
+             "redirect_url": "/azure/cost-management/overview", 
              "redirect_document_id": false 
         },
         {

articles/active-directory-domain-services/TOC.md

@@ -16,8 +16,9 @@
 # How to
 ## Join a managed domain
 ### [Join a Windows Server VM](active-directory-ds-admin-guide-join-windows-vm-portal.md)
-### [Join a Windows Server VM using Azure PowerShell](active-directory-ds-admin-guide-join-windows-vm-classic-powershell.md)
-### [Join a Linux VM](active-directory-ds-admin-guide-join-rhel-linux-vm.md)
+### [Join a Windows Server VM using PowerShell](active-directory-ds-admin-guide-join-windows-vm-classic-powershell.md)
+### [RedHat Enterprise Linux](active-directory-ds-admin-guide-join-rhel-linux-vm.md)
+### [Ubuntu Server](active-directory-ds-join-ubuntu-linux-vm.md)
 ## Administer a managed domain
 ### [Administer a managed domain](active-directory-ds-admin-guide-administer-domain.md)
 ### [Administer DNS on a managed domain](active-directory-ds-admin-guide-administer-dns.md)

articles/active-directory-domain-services/active-directory-ds-join-ubuntu-linux-vm.md

@@ -0,0 +1,224 @@
+---
+title: 'Azure Active Directory Domain Services: Join an Ubuntu VM to a managed domain | Microsoft Docs'
+description: Join an Ubuntu Linux virtual machine to Azure AD Domain Services
+services: active-directory-ds
+documentationcenter: ''
+author: mahesh-unnikrishnan
+manager: mahesh-unnikrishnan
+editor: curtand
+
+ms.assetid: 804438c4-51a1-497d-8ccc-5be775980203
+ms.service: active-directory-ds
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: article
+ms.date: 10/03/2017
+ms.author: maheshu
+
+---
+# Join an Ubuntu virtual machine in Azure to a managed domain
+This article shows you how to join an Ubuntu Linux virtual machine to an Azure AD Domain Services managed domain.
+
+
+## Before you begin
+To perform the tasks listed in this article, you need:  
+1. A valid **Azure subscription**.
+2. An **Azure AD directory** - either synchronized with an on-premises directory or a cloud-only directory.
+3. **Azure AD Domain Services** must be enabled for the Azure AD directory. If you haven't done so, follow all the tasks outlined in the [Getting Started guide](active-directory-ds-getting-started.md).
+4. Ensure that you have configured the IP addresses of the managed domain as the DNS servers for the virtual network. For more information, see [how to update DNS settings for the Azure virtual network](active-directory-ds-getting-started-dns.md)
+5. Complete the steps required to [synchronize passwords to your Azure AD Domain Services managed domain](active-directory-ds-getting-started-password-sync.md).
+
+
+## Provision an Ubuntu Linux virtual machine
+Provision an Ubuntu Linux virtual machine in Azure, using any of the following methods:
+* [Azure portal](../virtual-machines/linux/quick-create-portal.md)
+* [Azure CLI](../virtual-machines/linux/quick-create-cli.md)
+* [Azure PowerShell](../virtual-machines/linux/quick-create-powershell.md)
+
+> [!IMPORTANT]
+> * Deploy the virtual machine into the **same virtual network in which you have enabled Azure AD Domain Services**.
+> * Pick a **different subnet** than the one in which you have enabled Azure AD Domain Services.
+>
+
+
+## Connect remotely to the Ubuntu Linux virtual machine
+The Ubuntu virtual machine has been provisioned in Azure. The next task is to connect remotely to the virtual machine using the local administrator account created while provisioning the VM.
+
+Follow the instructions in the article [How to log on to a virtual machine running Linux](../virtual-machines/linux/mac-create-ssh-keys.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).
+
+
+## Configure the hosts file on the Linux virtual machine
+In your SSH terminal, edit the /etc/hosts file and update your machine’s IP address and hostname.
+
+```
+sudo vi /etc/hosts
+```
+
+In the hosts file, enter the following value:
+
+```
+127.0.0.1 contoso-ubuntu.contoso100.com contoso-ubuntu
+```
+Here, 'contoso100.com' is the DNS domain name of your managed domain. 'contoso-ubuntu' is the hostname of the Ubuntu virtual machine you are joining to the managed domain.
+
+
+## Install required packages on the Linux virtual machine
+Next, install packages required for domain join on the virtual machine. Perform the following steps:
+
+1.  In your SSH terminal, type the following command to download the package lists from the repositories. This command updates the package lists to get information on the newest versions of packages and their dependencies.
+
+    ```
+    sudo apt-get update
+    ```
+
+2. Type the following command to install the required packages.
+    ```
+      sudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli
+    ```
+
+3. During the Kerberos installation, you see a pink screen. The installation of the 'krb5-user' package prompts for the realm name (in ALL UPPERCASE). The installation writes the [realm] and [domain_realm] sections in /etc/krb5.conf.
+
+    > [!TIP]
+    > If the name of your managed domain is contoso100.com, enter CONTOSO100.COM as the realm. Remember, the realm name must be specified in UPPERCASE.
+    >
+    >
+
+
+## Configure the NTP (Network Time Protocol) settings on the Linux virtual machine
+The date and time of your Ubuntu VM must synchronize with the managed domain. Add your managed domain's NTP hostname in the /etc/ntp.conf file.
+
+```
+sudo vi /etc/ntp.conf
+```
+
+In the ntp.conf file, enter the following value and save the file:
+
+```
+server contoso100.com
+```
+Here, 'contoso100.com' is the DNS domain name of your managed domain.
+
+Now sync the Ubuntu VM's date and time with NTP server and then start the NTP service:
+
+```
+sudo systemctl stop ntp
+sudo ntpdate contoso100.com
+sudo systemctl start ntp
+```
+
+
+## Join the Linux virtual machine to the managed domain
+Now that the required packages are installed on the Linux virtual machine, the next task is to join the virtual machine to the managed domain.
+
+1. Discover the AAD Domain Services managed domain. In your SSH terminal, type the following command:
+
+    ```
+    sudo realm discover CONTOSO100.COM
+    ```
+
+      > [!NOTE] 
+      > **Troubleshooting:**
+      > If *realm discover* is unable to find your managed domain:
+        * Ensure that the domain is reachable from the virtual machine (try ping).
+        * Check that the virtual machine has indeed been deployed to the same virtual network in which the managed domain is available.
+        * Check to see if you have updated the DNS server settings for the virtual network to point to the domain controllers of the managed domain.
+      >
+
+2. Initialize Kerberos. In your SSH terminal, type the following command: 
+
+    > [!TIP] 
+    > * Ensure that you specify a user who belongs to the 'AAD DC Administrators' group. 
+    > * Specify the domain name in capital letters, else kinit fails.
+    >
+
+    ```
+    kinit [email protected]
+    ```
+
+3. Join the machine to the domain. In your SSH terminal, type the following command: 
+
+    > [!TIP] 
+    > Use the same user account you specified in the preceding step ('kinit').
+    >
+
+    ```
+    sudo realm join --verbose CONTOSO100.COM -U '[email protected]' --install=/
+    ```
+
+You should get a message ("Successfully enrolled machine in realm") when the machine is successfully joined to the managed domain.
+
+
+## Update the SSSD configuration and restart the service
+1. In your SSH terminal, type the following command. Open the sssd.conf file and make the following change
+    ```
+    sudo vi /etc/sssd/sssd.conf
+    ```
+
+2. Comment out the line **use_fully_qualified_names = True** and save the file.
+    ```
+    # use_fully_qualified_names = True
+    ```
+
+3. Restart the SSSD service.
+    ```
+    sudo service sssd restart
+    ```
+
+
+## Configure automatic home directory creation
+To enable automatic creation of the home directory after logging in users, type the following commands in your PuTTY terminal:
+```
+sudo vi /etc/pam.d/common-session
+```
+    
+Add the following line in this file below the line 'session optional pam_sss.so' and save it:
+```
+session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
+```
+
+
+## Verify domain join
+Verify whether the machine has been successfully joined to the managed domain. Connect to the domain joined Ubuntu VM using a different SSH connection. Use a domain user account and then check to see if the user account is resolved correctly.
+
+1. In your SSH terminal, type the following command to connect to the domain joined Ubuntu virtual machine using SSH. Use a domain account that belongs to the managed domain (for example, '[email protected]' in this case.)
+    ```
+    ssh -l [email protected] contoso-ubuntu.contoso100.com
+    ```
+
+2. In your SSH terminal, type the following command to see if the home directory was initialized correctly.
+    ```
+    pwd
+    ```
+
+3. In your SSH terminal, type the following command to see if the group memberships are being resolved correctly.
+    ```
+    id
+    ```
+
+
+## Grant the 'AAD DC Administrators' group sudo privileges
+You can grant members of the 'AAD DC Administrators' group administrative privileges on the Ubuntu VM. The sudo file is located at /etc/sudoers. The members of AD groups added in sudoers can perform sudo.
+
+1. In your SSH terminal, ensure you are logged in with superuser privileges. You can use the local administrator account you specified while creating the VM. Execute the following command:
+    ```
+    sudo vi /etc/sudoers
+    ```
+
+2. Add the following entry to the /etc/sudoers file and save it:
+    ```
+    # Add 'AAD DC Administrators' group members as admins.
+    %AAD\ DC\ Administrators ALL=(ALL) NOPASSWD:ALL
+    ```
+
+3. You can now log in as a member of the 'AAD DC Administrators' group and should have administrative privileges on the VM.
+
+
+## Troubleshooting domain join
+Refer to the [Troubleshooting domain join](active-directory-ds-admin-guide-join-windows-vm-portal.md#troubleshooting-domain-join) article.
+
+
+## Related Content
+* [Azure AD Domain Services - Getting Started guide](active-directory-ds-getting-started.md)
+* [Join a Windows Server virtual machine to an Azure AD Domain Services managed domain](active-directory-ds-admin-guide-join-windows-vm.md)
+* [How to log on to a virtual machine running Linux](../virtual-machines/linux/mac-create-ssh-keys.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json).

articles/active-directory/active-directory-accessmanagement-groups-with-advanced-rules.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 09/29/2017
+ms.date: 10/02/2017
 ms.author: curtand
 ms.reviewer: kairaz.contractor
 ms.custom: oldportal
@@ -271,26 +271,26 @@ You can create a group containing all direct reports of a manager. When the mana
 ## Using attributes to create rules for device objects
 You can also create a rule that selects device objects for membership in a group. The following device attributes can be used:
 
-| Properties              | Allowed values                  | Usage                                                       |
-|-------------------------|---------------------------------|-------------------------------------------------------------|
-| accountEnabled          | true false                      | (device.accountEnabled -eq true)                            |
-| displayName             | any string value                | (device.displayName -eq "Rob Iphone”)                       |
-| deviceOSType            | any string value                | (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone")   |
-| deviceOSVersion         | any string value                | (device.OSVersion -eq "9.1")                                |
-| deviceCategory          | a valid device category name    | (device.deviceCategory -eq "BYOD")                          |
-| deviceManufacturer      | any string value                | (device.deviceManufacturer -eq "Microsoft")                 |
-| deviceModel             | any string value                | (device.deviceModel -eq "IPhone 7+")                        |
-| deviceOwnership         | Personal, Company               | (device.deviceOwnership -eq "Company")                      |
-| domainName              | any string value                | (device.domainName -eq "contoso.com")                       |
-| enrollmentProfileName   | any string value                | (device.enrollmentProfileName -eq "")                       |
-| isRooted                | true false                      | (device.deviceOSType -eq true)                              |
-| managementType          | any string value                | (device.managementType -eq "")                              |
-| organizationalUnit      | any string value                | (device.organizationalUnit -eq "")                          |
-| deviceId                | a valid deviceId                | (device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d") |
-| objectId                | a valid AAD objectId            | (device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d") |
+| Properties              | Allowed values                     | Usage                                                       |
+|-------------------------|------------------------------------|-------------------------------------------------------------|
+| accountEnabled          | true false                         | (device.accountEnabled -eq true)                            |
+| displayName             | any string value                   | (device.displayName -eq "Rob Iphone”)                       |
+| deviceOSType            | any string value                   | (device.deviceOSType -eq "Android")                         |
+| deviceOSVersion         | any string value                   | (device.OSVersion -eq "9.1")                                |
+| deviceCategory          | a valid device category name       | (device.deviceCategory -eq "BYOD")                          |
+| deviceManufacturer      | any string value                   | (device.deviceManufacturer -eq "Samsung")                   |
+| deviceModel             | any string value                   | (device.deviceModel -eq "iPad Air”)                         |
+| deviceOwnership         | Personal, Company                  | (device.deviceOwnership -eq "Company")                      |
+| domainName              | any string value                   | (device.domainName -eq "contoso.com")                       |
+| enrollmentProfileName   | Apple Device Enrollment Profile name    | (device.enrollmentProfileName -eq "DEP iPhones")       |
+| isRooted                | true false                         | (device.isRooted -eq true)                              |
+| managementType          | “MDM” for mobile devices, “PC” for computers managed through the Intune PC agent    | (device.managementType -eq "MDM")                  |
+| organizationalUnit      | any string value matching the name of the OU set by on-premises Active Directory | (device.organizationalUnit -eq "US PCs")      |
+| deviceId                | a valid Intune deviceId                | (device.deviceId -eq "d4fe7726-5966-431c-b3b8-cddc8fdb717d") |
+| objectId                | a valid Azure AD objectId            | (device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d") |
 
 > [!NOTE]
-> These device rules cannot be created using the "simple rule" dropdown in the Azure classic portal.
+> Device rules cannot be created using the "simple rule" dropdown in the Azure classic portal.
 >
 >
 

articles/active-directory/connect/active-directory-aadconnect-existing-tenant.md

@@ -48,7 +48,7 @@ If you matched your objects with a soft-match, then the **sourceAnchor** is adde
 For a new installation of Connect, there is no practical difference between a soft- and a hard-match. The difference is in a disaster recovery situation. If you have lost your server with Azure AD Connect, you can reinstall a new instance without losing any data. An object with a sourceAnchor is sent to Connect during initial install. The match can then be evaluated by the client (Azure AD Connect), which is a lot faster than doing the same in Azure AD. A hard match is evaluated both by Connect and by Azure AD. A soft match is only evaluated by Azure AD.
 
 ### Other objects than users
-Users usually have both userPrincipalName and proxyAddresses, making the match easy. But other objects, such as security groups, do not have those. In this case, you can only match on a hard match using the sourceAnchor. The sourceAnchor is always the Base64 converted **objectGUID** on-premises, so you must update the value in Azure AD when you need two objects to match. The sourceAnchor/immutableID can only be updated with PowerShell and not through the portals.
+For mail-enabled groups and contacts, you can soft-match based on proxyAddresses. Hard-match is not applicable since you can only update the sourceAnchor/immutableID (using PowerShell) on Users only. For groups that aren't mail-enabled, there is currently no support for soft-match or hard-match.
 
 ## Create a new on-premises Active Directory from data in Azure AD
 Some customers start with a cloud-only solution with Azure AD and they do not have an on-premises AD. Later they want to consume on-premises resources and want to build an on-premises AD based on Azure AD data. Azure AD Connect cannot help you for this scenario. It does not create users on-premises and it does not have any ability to set the password on-premises to the same as in Azure AD.