MicrosoftDocs
diff --git a/‎articles/active-directory/cloud-sync/how-to-install.md
Lines changed: 18 additions & 60 deletions b/‎articles/active-directory/cloud-sync/how-to-install.md
Lines changed: 18 additions & 60 deletions
diff --git a/‎articles/active-directory/cloud-sync/tutorial-existing-forest.md
Lines changed: 28 additions & 57 deletions b/‎articles/active-directory/cloud-sync/tutorial-existing-forest.md
Lines changed: 28 additions & 57 deletions
@@ -7,13 +7,14 @@ manager: amycolannino
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/01/2022
+ms.date: 11/11/2022
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Install the Azure AD Connect provisioning agent
+
 This article walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal.
 
 >[!IMPORTANT]
@@ -35,58 +36,11 @@ To upgrade an existing agent to use the group Managed Service Account created du
 
 ## Install the agent
 
-To install the agent:
-
- 1. Sign in to the server you'll use with enterprise admin permissions.
- 2. Sign in to the Azure portal, and then go to **Azure Active Directory**.
- 3. On the menu on the left, select **Azure AD Connect**.
- 4. Select **Manage cloud sync**.
-     [![Screenshot that shows manage cloud sync](media/how-to-install/new-install-1.png)](media/how-to-install/new-install-1.png#lightbox)</br>
- 5. At the top, click **Download agent**.
-    [![Screenshot that the download agent](media/how-to-install/new-install-2.png)](media/how-to-install/new-install-2.png#lightbox)</br>
- 7. On the right, click **Accept terms and download**.
-   [![Screenshot that accept and download](media/how-to-install/new-install-3.png)](media/how-to-install/new-install-3.png#lightbox)</br>
- 9. Once the agent has completed downloading, click **Open file**.  This will start the installation.
-    [![Screenshot that shows open file](media/how-to-install/new-install-4.png)](media/how-to-install/new-install-4.png#lightbox)</br>
- 10. On the **Microsoft Azure AD Connect Provisioning Agent Package** screen, accept the licensing terms, and select **Install**.
-  [![Screenshot that shows install](media/how-to-install/new-install-5.png)](media/how-to-install/new-install-5.png#lightbox)</br>
- 11. After this operation finishes, the configuration wizard starts. Click **Next**.
- [![Screenshot that shows wizard](media/how-to-install/new-install-6.png)](media/how-to-install/new-install-6.png#lightbox)</br>
- 13. Sign in with your Azure AD global administrator account.
- 14. On the **Configure Service Account** screen, select either **Create gMSA**, or **Use custom gMSA**. If you allow the agent to create the account, it will be named **provAgentgMSA$**. If you specify **Use custom gMSA**, you're prompted to provide this account.
- [![Screenshot that shows create service account](media/how-to-install/new-install-7.png)](media/how-to-install/new-install-7.png#lightbox)</br>
- 15. Enter the domain administrator credentials to create the group Managed Service account that will be used to run the agent service. Select **Next**.
-  ![Screenshot that shows the Create gMSA option.](media/how-to-install/install-12.png)</br>
- 16. On the **Connect Active Directory** screen, click **Next**.  Your current domain has been added automatically.  If you wish to add additional domains, enter them and select **Add Directory**. Then sign in with an administrator account from that domain.
- [![Screenshot that shows connecting to AD](media/how-to-install/new-install-8.png)](media/how-to-install/new-install-8.png#lightbox)</br>
- 17. Optionally, you can manage the preference of domain controllers the agent will use.  To do this, click **Add Directory** and select the **Select domain controller priority** checkbox and then order the list of domain controllers. Select **OK**.  Click **Next**.
-    [![Screenshot that shows adding domain controller priority](media/how-to-install/new-install-10.png)](media/how-to-install/new-install-10.png#lightbox)</br>
- 18. On the **Agent installation** screen, confirm settings and the account that will be created and select **Confirm**.
-  [![Screenshot that shows install confirmation](media/how-to-install/new-install-11.png)](media/how-to-install/new-install-11.png#lightbox)</br>
- 20. After this operation finishes, you should see **Your agent installation is complete.** Select **Exit**.
- 21. If you still see the initial **Microsoft Azure AD Connect Provisioning Agent Package** screen, select **Close**.
+[!INCLUDE [active-directory-cloud-sync-how-to-install](../../../includes/active-directory-cloud-sync-how-to-install.md)]
 
 ## Verify agent installation
-Agent verification occurs in the Azure portal and on the local server that's running the agent.
-
-### Azure portal agent verification
-To verify the agent is being seen by Azure:
-
- 1. Sign in to the Azure portal.
- 2. On the left, select **Azure Active Directory** > **Azure AD Connect**. In the center, select **Manage cloud sync**.
-    ![Screenshot that shows the Azure portal.](media/how-to-install/install-6.png)</br>
- 3. On the **Azure AD Connect cloud sync** screen, select **Review all agents**.
-    ![Screenshot that shows the Review all agents option.](media/how-to-install/install-7.png)</br>
- 4.  On the **On-premises provisioning agents** screen, you see the agents you installed. Verify that the agent in question is there and is marked *active*.
-    ![Screenshot that shows On-premises provisioning agents screen.](media/how-to-install/verify-1.png)</br>
 
-### On the local server
-To verify that the agent is running:
-
-1. Sign in to the server with an administrator account.
-2. Open **Services** by going to it or by selecting **Start** > **Run** > **Services.msc**.
-3. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are present.  Also, ensure the status is *Running*.
- ![Screenshot that shows the Services screen.](media/how-to-install/troubleshoot-1.png)
+[!INCLUDE [active-directory-cloud-sync-how-to-verify-installation](../../../includes/active-directory-cloud-sync-how-to-verify-installation.md)]
 
 >[!IMPORTANT]
 >The agent has been installed, but it must be configured and enabled before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
@@ -103,15 +57,19 @@ To use password writeback and enable the self-service password reset (SSPR) serv
 For more information on using password writeback with Azure AD Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
 
 ## Installing against US govt cloud
-By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment.  If you are installing the agent for use in the US government cloud do the following:
 
-- In step #7 above, instead of click **Open file**, go to start run and navigate to the **AADConnectProvisioningAgentSetup.exe** file.  In the run box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment** and click **Ok**.
- [![Screenshot showing US govt cloud install](media/how-to-install/new-install-12.png)](media/how-to-install/new-install-12.png#lightbox)</br>
+By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment.  If you're installing the agent for use in the US government, follow these steps:
+
+- In step #7 above, instead of select **Open file**, go to start run and navigate to the **AADConnectProvisioningAgentSetup.exe** file.  In the run box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment** and select **Ok**.
+
+    [![Screenshot showing US govt cloud install](media/how-to-install/new-install-12.png)](media/how-to-install/new-install-12.png#lightbox)
 
 ## Password hash synchronization and FIPS with cloud sync
+
 If your server has been locked down according to Federal Information Processing Standard (FIPS), then MD5 is disabled.
 
-**To enable MD5 for password hash synchronization, perform the following steps:**
+
+To enable MD5 for password hash synchronization, perform the following steps:
 
 1. Go to %programfiles%\Microsoft Azure AD Connect Provisioning Agent.
 2. Open AADConnectProvisioningAgent.exe.config.
@@ -121,12 +79,12 @@ If your server has been locked down according to Federal Information Processing
 
 For reference, this snippet is what it should look like:
 
-```
-    <configuration>
-        <runtime>
-            <enforceFIPSPolicy enabled="false"/>
-        </runtime>
-    </configuration>
+```xml
+<configuration>
+   <runtime>
+      <enforceFIPSPolicy enabled="false"/>
+   </runtime>
+</configuration>
 ```
 
 For information about security and FIPS, see [Azure AD password hash sync, encryption, and FIPS compliance](https://blogs.technet.microsoft.com/enterprisemobility/2014/06/28/aad-password-sync-encryption-and-fips-compliance/).
 
@@ -17,11 +17,11 @@ ms.collection: M365-identity-device-management
 
 This tutorial walks you through adding cloud sync to an existing hybrid identity environment. 
 
-![Create](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
 
 You can use the environment you create in this tutorial for testing or for getting more familiar with how a hybrid identity works. 
 
-In this scenario, there is an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You will setup cloud sync for the new forest. 
+In this scenario, there's an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You'll set up cloud sync for the new forest. 
 
 ## Prerequisites
 ### In the Azure Active Directory admin center
@@ -31,9 +31,9 @@ In this scenario, there is an existing forest synced using Azure AD Connect sync
 
 ### In your on-premises environment
 
-1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4 GB RAM and .NET 4.7.1+ runtime 
+1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime 
 
-2. If there is a firewall between your servers and Azure AD, configure the following items:
+2. If there's a firewall between your servers and Azure AD, configure the following items:
    - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
 
      | Port number | How it's used |
@@ -45,86 +45,57 @@ In this scenario, there is an existing forest synced using Azure AD Connect sync
      If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
    - If your firewall or proxy allows you to specify safe suffixes, then add  connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
    - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
-   - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products you may already have these URLs unblocked.
+   - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.
 
 ## Install the Azure AD Connect provisioning agent
-1. Sign in to the domain joined server.  If you are using the  [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1.
-2. Sign in to the Azure portal using cloud-only global admin credentials.
-3. On the left, select **Azure Active Directory**, click **Azure AD Connect** and in the center select **Manage cloud sync**.</br>
-![Azure portal](media/how-to-install/install-6.png)</br>
-4. Click on "Download agent"
-5. Run the Azure AD Connect provisioning agent
-6. On the splash screen, **Accept** the licensing terms and click **Install**.</br>
-![Screenshot that shows the "Microsoft Azure AD Connect Provisioning Agent Package" splash screen.](media/how-to-install/install-1.png)</br>
 
-7. Once this operation completes, the configuration wizard will launch.  Sign in with your Azure AD global administrator account.  Note that if you have IE enhanced security enabled this will block the sign-in.  If this is the case, close the installation, disable IE enhanced security in Server Manager, and click the **AAD Connect Provisioning Agent Wizard** to restart the installation.
-8. On the **Connect Active Directory** screen, click **Add directory** and then sign in with your Active Directory domain administrator account. The domain administrator account should not have password change requirements. In case the password expires or changes, you will need to re-configure the agent with the new credentials. This operation will add your on-premises directory.  Click **Next**.</br>
-![Screenshot that shows the "Connect Active Directory" screen.](media/how-to-install/install-3a.png)</br>
+If you're using the  [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps: 
 
-9. On the **Configuration complete** screen, click **Confirm**.  This operation will register and restart the agent.</br>
-![Screenshot that shows the "Configuration complete" screen.](media/how-to-install/install-4a.png)</br>
+[!INCLUDE [active-directory-cloud-sync-how-to-install](../../../includes/active-directory-cloud-sync-how-to-install.md)]
 
-   > [!NOTE]
-   > The group managed service account (for example, CONTOSO\provAgentgMSA$) is created in the same Active Directory domain where the host server has joined.
 
-10. Once this operation completes you should see a notice: **Your agent configuration was successfully verified.**  You can click **Exit**.</br>
-![Welcome screen](media/how-to-install/install-5.png)</br>
-11. If you still see the initial splash screen, click **Close**.
+## Verify agent installation
 
+[!INCLUDE [active-directory-cloud-sync-how-to-verify-installation](../../../includes/active-directory-cloud-sync-how-to-verify-installation.md)]
 
-## Verify agent installation
-Agent verification occurs in the Azure portal and on the local server that is running the agent.
+## Configure Azure AD Connect cloud sync
+ Use the following steps to configure provisioning
 
-### Azure portal agent verification
-To verify the agent is being seen by Azure follow these steps:
+1.  Sign in to the Azure AD portal.
+2.  Select **Azure Active Directory**
+3.  Select **Azure AD Connect**
+4.  Select **Manage cloud sync**
 
-1. Sign in to the Azure portal.
-2. On the left, select **Azure Active Directory**, click **Azure AD Connect** and in the center select **Manage cloud sync**.</br>
-![Azure portal](media/how-to-install/install-6.png)</br>
+    ![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
 
-3.  On the **Azure AD Connect cloud sync** screen click **Review all agents**.
-![Azure AD Provisioning](media/how-to-install/install-7.png)</br>
- 
-4. On the **On-premises provisioning agents screen** you will see the agents you have installed.  Verify that the agent in question is there and is marked **active**.
-![Provisioning agents](media/how-to-install/verify-1.png)</br>
+5.  Select **New Configuration**
 
-### On the local server
-To verify that the agent is running follow these steps:
+    ![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
 
-1.  Log on to the server with an administrator account
-2.  Open **Services** by either navigating to it or by going to Start/Run/Services.msc.
-3.  Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are present and the status is **Running**.
-![Services](media/how-to-install/troubleshoot-1.png)
+7.  On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.
 
-## Configure Azure AD Connect cloud sync
- Use the following steps to configure provisioning
+    ![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)
 
-1.  Sign in to the Azure AD portal.
-2.  Click **Azure Active Directory**
-3.  Click **Azure AD Connect**
-4.  Select **Manage cloud sync**
-![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
-5.  Click **New Configuration**
-![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
-7.  On the configuration screen, enter a **Notification email**, move the selector to **Enable** and click **Save**.
-![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)
 1.  The configuration status should now be **Healthy**.
-![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)
+
+    ![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)
 
 ## Verify users are created and synchronization is occurring
-You will now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant.  Be aware that this may take a few hours to complete.  To verify users are synchronized do the following.
+
+You'll now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant.  This process may take a few hours to complete.  To verify users are synchronized, do the following:
 
 
 1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
 2. On the left, select **Azure Active Directory**
 3. Under **Manage**, select **Users**.
-4. Verify that you see the new users in our tenant</br>
+4. Verify that you see the new users in our tenant
 
 ## Test signing in with one of our users
 
 1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
-2. Sign in with a user account that was created in our new tenant.  You will need to sign in using the following format: ([email protected]). Use the same password that the user uses to sign in on-premises.</br>
-   ![Verify](media/tutorial-single-forest/verify-1.png)</br>
+2. Sign in with a user account that was created in our new tenant.  You'll need to sign in using the following format: ([email protected]). Use the same password that the user uses to sign in on-premises.
+
+   ![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png)
 
 You have now successfully set up a hybrid identity environment that you can use to test and familiarize yourself with what Azure has to offer.