Merge pull request #96536 from MicrosoftDocs/master

11/19 PM Publish

Author: huypub

.openpublishing.redirection.json

@@ -12374,17 +12374,17 @@
     },
     {
       "source_path": "articles/cosmos-db/logging.md",
-      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db.md",
+      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/cosmos-db/cosmos-db-azure-monitor-metrics.md",
-      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db.md",
+      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/cosmos-db/monitor-accounts.md",
-      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db.md",
+      "redirect_url": "/azure/cosmos-db/monitor-cosmos-db",
       "redirect_document_id": false
     },
     {

articles/active-directory-b2c/active-directory-b2c-ui-customization-custom.md

@@ -202,4 +202,4 @@ In the Modify your sign-up or sign-in custom policy section, you configured the
 
 ## Next steps
 
-For more information about UI elements that can be customized, see [reference guide for UI customization for built-in policies](active-directory-b2c-reference-ui-customization.md).
+For more information about UI elements that can be customized, see [reference guide for UI customization for user flows](active-directory-b2c-reference-ui-customization.md).

articles/active-directory-domain-services/TOC.yml

@@ -23,6 +23,8 @@
       href: tutorial-configure-password-hash-sync.md
     - name: Create an advanced managed domain
       href: tutorial-create-instance-advanced.md
+    - name: Create a forest trust (preview)
+      href: tutorial-create-forest-trust.md
 - name: Samples
   items:
     - name: Create a managed domain using Azure PowerShell
@@ -33,6 +35,12 @@
       href: administration-concepts.md
     - name: Common deployment scenarios
       href: scenarios.md
+    - name: Forests and trusts
+      items:
+        - name: Resource forests
+          href: concepts-resource-forest.md
+        - name: Forest trusts
+          href: concepts-forest-trust.md
     - name: How Azure AD DS synchronization works
       href: synchronization.md
     - name: How password hash synchronization works

articles/active-directory-domain-services/administration-concepts.md

@@ -56,6 +56,18 @@ For users synchronized from an on-premises AD DS environment using Azure AD Conn
 
 Once appropriately configured, the usable password hashes are stored in the Azure AD DS managed domain. If you delete the Azure AD DS managed domain, any password hashes stored at that point are also deleted. Synchronized credential information in Azure AD can't be reused if you later create an Azure AD DS managed domain - you must reconfigure the password hash synchronization to store the password hashes again. Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new Azure AD DS managed domain. For more information, see [Password hash sync process for Azure AD DS and Azure AD Connect][azure-ad-password-sync].
 
+## Forests and trusts
+
+A *forest* is a logical construct used by Active Directory Domain Services (AD DS) to group one or more *domains*. The domains then store objects for user or groups, and provide authentication services.
+
+In Azure AD DS, the forest only contains one domain. On-premises AD DS forests often contain many domains. In large organizations, especially after mergers and acquisitions, you may end up with multiple on-premises forests that each then contain multiple domains.
+
+By default, an Azure AD DS managed domain is created as a *user* forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. User accounts can directly authenticate against the Azure AD DS managed domain, such as to sign in to a domain-joined VM. A user forest works when the password hashes can be synchronized and users aren't using exclusive sign-in methods like smart card authentication.
+
+In an Azure AD DS *resource* forest, users authenticate over a one-way forest *trust* from their on-premises AD DS. With this approach, the user objects and password hashes aren't synchronized to Azure AD DS. The user objects and credentials only exist in the on-premises AD DS. This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed. Azure AD DS resource forests are currently in preview.
+
+For more information about forest types in Azure AD DS, see [What are resource forests?][concepts-forest] and [How do forest trusts work in Azure AD DS?][concepts-trust]
+
 ## Next steps
 
 To get started, [create an Azure AD DS managed domain][create-instance].
@@ -66,3 +78,6 @@ To get started, [create an Azure AD DS managed domain][create-instance].
 [secure-domain]: secure-your-domain.md
 [azure-ad-password-sync]: ../active-directory/hybrid/how-to-connect-password-hash-synchronization.md#password-hash-sync-process-for-azure-ad-domain-services
 [create-instance]: tutorial-create-instance.md
+[tutorial-create-instance-advanced]: tutorial-create-instance-advanced.md
+[concepts-forest]: concepts-resource-forest.md
+[concepts-trust]: concepts-forest-trust.md