[AzureADDS] Edits and revisions

Author: iainfoulds

articles/active-directory-domain-services/tutorial-configure-password-hash-sync.md

@@ -17,7 +17,7 @@ ms.author: iainfou
 
 For hybrid environments, an Azure Active Directory (Azure AD) tenant can be configured to synchronize with an on-premises Active Directory Domain Services (AD DS) environment using Azure AD Connect. By default, Azure AD Connect doesn't synchronize legacy NTLM and Kerberos credential hashes to Azure AD.
 
-To use Azure Active Directory Domain Services (Azure AD DS) with accounts synchronized from an on-premises AD DS environment, you need to configure Azure AD Connect to synchronize the password hashes required for NTLM and Kerberos authentication. You don't need to perform these steps if you use cloud-only accounts and don't have an on-premises AD DS environment.
+To use Azure Active Directory Domain Services (Azure AD DS) with accounts synchronized from an on-premises AD DS environment, you need to configure Azure AD Connect to synchronize the password hashes required for NTLM and Kerberos authentication. You don't need to perform these steps if you use cloud-only accounts with no on-premises AD DS environment.
 
 In this tutorial, you learn:
 
@@ -38,43 +38,49 @@ To complete this tutorial, you need the following resources:
     * If needed, [enable Azure AD Connect for password hash synchronization][enable-azure-ad-connect].
 * An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
     * If needed, [create and configure an Azure Active Directory Domain Services instance][create-azure-ad-ds-instance].
-* A user account that's a member of the *Azure AD DC administrators* group in your Azure AD tenant.
 
 ## Password hash synchronization using Azure AD Connect
 
 Azure AD Connect is used to synchronize objects like user accounts and groups from an on-premises AD DS environment into an Azure AD tenant. As part of the process, password hash synchronization enables accounts to use the same password in the on-prem AD DS environment and Azure AD.
 
 To authenticate users on the managed domain, Azure AD DS needs password hashes in a format that's suitable for NT LAN Manager (NTLM) and Kerberos authentication. Azure AD doesn't generate or store password hashes in the format that's required for NTLM or Kerberos authentication until you enable Azure AD DS for your tenant. For security reasons, Azure AD also doesn't store any password credentials in clear-text form. Therefore, Azure AD can't automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.
 
-As prerequisite to configuring Azure AD Connect to generate the required NTLM or Kerberos password hashes for Azure AD DS, you need to first [enable Azure AD Connect for password hash synchronization][enable-azure-ad-connect]. Make sure that you [download and install the latest available release of Azure AD Connect][azure-ad-connect-download].
-
-If you have an existing instance of Azure AD Connect, update to the latest version to make sure you can generate the legacy password hashes for NTLM and Kerberos. This functionality isn't available in early releases of Azure AD Connect or with the legacy DirSync tool. Azure AD Connect version *1.1.614.0* or later is required.
+Azure AD Connect can be configured to generate the required NTLM or Kerberos password hashes for Azure AD DS. Make sure that you have completed the steps to [enable Azure AD Connect for password hash synchronization][enable-azure-ad-connect]. If you had an existing instance of Azure AD Connect, [download and update to the latest version][azure-ad-connect-download] to make sure you can generate the legacy password hashes for NTLM and Kerberos. This functionality isn't available in early releases of Azure AD Connect or with the legacy DirSync tool. Azure AD Connect version *1.1.614.0* or later is required.
 
 ## Enable synchronization of password hashes
 
-With Azure AD Connect installed and configured to synchronize with Azure AD, now configure the legacy password hash sync for NTLM and Kerberos.
+With Azure AD Connect installed and configured to synchronize with Azure AD, now configure the legacy password hash sync for NTLM and Kerberos. A PowerShell script is used to configure the required settings and then start a full password synchronization to Azure AD. When that Azure AD Connect password hash synchronization process is complete, users can sign in to applications through Azure AD DS that use legacy NTLM or Kerberos password hashes.
 
-1. On the computer with Azure AD Connect installed, from the Start menu, open the Azure AD Connect > Synchronization Service.
+1. On the computer with Azure AD Connect installed, from the Start menu, open the **Azure AD Connect > Synchronization Service**.
 1. Select the **Connectors** tab. The connection information used to establish the synchronization between the on-premises AD DS environment and Azure AD are listed.
 
-    The **Type** indicates either *Windows Azure Active Directory (Microsoft)* for the Azure AD connector or *Active Directory Domain Services* for the on-premises connector. Make a note of the connector names to use in PowerShell script in the next step.
-
-    In the following example screenshot, the Azure AD connector is named *contoso.onmicrosoft.com - AAD* and the on-premises connector is named *onprem.contoso.com*
+    The **Type** indicates either *Windows Azure Active Directory (Microsoft)* for the Azure AD connector or *Active Directory Domain Services* for the on-premises AD DS connector. Make a note of the connector names to use in the PowerShell script in the next step.
 
     ![List the connector names in Sync Service Manager](media/tutorial-configure-password-hash-sync/service-sync-manager.png)
 
-1. Copy and paste the following PowerShell script to the computer with Azure AD Connect installed. Update the `$azureadConnector` and `$adConnector` variables with the connector names from the previous step. Run this script on each AD forest to synchronize on-premises account NTLM and Kerberos password hashes to Azure AD. The script also initiates a full synchronization of Azure AD Connect to Azure AD:
+    In this example screenshot, the following connectors are used:
+
+    * The Azure AD connector is named *contoso.onmicrosoft.com - AAD*
+    * The on-premises AD DS connector is named *onprem.contoso.com*
+
+1. Copy and paste the following PowerShell script to the computer with Azure AD Connect installed. Update the `$azureadConnector` and `$adConnector` variables with the connector names from the previous step.
+
+    Run this script on each AD forest to synchronize on-premises account NTLM and Kerberos password hashes to Azure AD. The script also initiates a full synchronization of Azure AD Connect to Azure AD:
 
     ```powershell
+    # Define the Azure AD Connect connector names and import the required PowerShell module
     $azureadConnector = "<CASE SENSITIVE AZURE AD CONNECTOR NAME>"
     $adConnector = "<CASE SENSITIVE AD DS CONNECTOR NAME>"
-    Import-Module adsync
+    Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"
+
     $c = Get-ADSyncConnector -Name $adConnector
     $p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter "Microsoft.Synchronize.ForceFullPasswordSync", String, ConnectorGlobal, $null, $null, $null
     $p.Value = 1
     $c.GlobalParameters.Remove($p.Name)
     $c.GlobalParameters.Add($p)
     $c = Add-ADSyncConnector -Connector $c
+
+    # Disable and re-enable Azure AD Connect to force a full password synchronization
     Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
     Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true
     ```