[AzureADDS] Edits and revisions

Author: iainfoulds

articles/active-directory-domain-services/troubleshoot.md

@@ -1,6 +1,6 @@
 ---
 title: Azure Active Directory Domain Services troubleshooting | Microsoft Docs'
-description: Learn how to troubleshooting common errors when you create or manage Azure Active Directory Domain Services
+description: Learn how to troubleshoot common errors when you create or manage Azure Active Directory Domain Services
 services: active-directory-ds
 author: iainfoulds
 manager: daveba
@@ -33,38 +33,38 @@ If you have problems enabling Azure AD DS, review the following common errors an
 
 ### Domain Name conflict
 
-**Error message:**
+**Error message**
 
 *The name contoso.com is already in use on this network. Specify a name that is not in use.*
 
-**Resolution:**
+**Resolution**
 
-Check that you don't have an existing AD DS environment with the same domain name on the virtual network. For example, you may have an AD DS domain that runs on Azure VMs named *contoso.com*. When you try to enable an Azure AD DS managed domain with the same domain name of *contoso.com* on the virtual network, the requested operation fails.
+Check that you don't have an existing AD DS environment with the same domain name on the virtual network. For example, you may have an AD DS domain named *contoso.com* that runs on Azure VMs. When you try to enable an Azure AD DS managed domain with the same domain name of *contoso.com* on the virtual network, the requested operation fails.
 
-This failure is due to name conflicts for the domain name on the virtual network. A DNS lookup checks if an existing AD DS environment responds on the requested domain name. To resolve this failure, use a different name to set up your Azure AD DS managed domain, or de-provision the existing AD DS domain and then enable Azure AD DS.
+This failure is due to name conflicts for the domain name on the virtual network. A DNS lookup checks if an existing AD DS environment responds on the requested domain name. To resolve this failure, use a different name to set up your Azure AD DS managed domain, or de-provision the existing AD DS domain and then try again to enable Azure AD DS.
 
 ### Inadequate permissions
 
-**Error message:**
+**Error message**
 
 *Domain Services could not be enabled in this Azure AD tenant. The service does not have adequate permissions to the application called 'Azure AD Domain Services Sync'. Delete the application called 'Azure AD Domain Services Sync' and then try to enable Domain Services for your Azure AD tenant.*
 
-**Resolution:**
+**Resolution**
 
 Check if there's an application named *Azure AD Domain Services Sync* in your Azure AD directory. If this application exists, delete it and then try again to enable Azure AD DS. To check for an existing application and delete it if needed, complete the following steps:
 
 1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.
-1. Select **Enterprise applications**. Choose *All applications* from the **Application Type* drop-down menu, then select **Apply**.
+1. Select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.
 1. In the search box, enter *Azure AD Domain Services Sync*. If the application exists, select it and choose **Delete**.
 1. Once you've deleted the application, try to enable Azure AD DS again.
 
 ### Invalid configuration
 
-**Error message:**
+**Error message**
 
 *Domain Services could not be enabled in this Azure AD tenant. The Domain Services application in your Azure AD tenant does not have the required permissions to enable Domain Services. Delete the application with the application identifier d87dcbc6-a371-462e-88e3-28ad15ec4e64 and then try to enable Domain Services for your Azure AD tenant.*
 
-**Resolution:**
+**Resolution**
 
 Check if you have an existing application named *AzureActiveDirectoryDomainControllerServices* with an application identifier of *d87dcbc6-a371-462e-88e3-28ad15ec4e64* in your Azure AD directory. If this application exists, delete it and then try again to enable Azure AD DS.
 
@@ -104,18 +104,18 @@ if ($sp -ne $null)
 
 ### Microsoft Graph disabled
 
-**Error message:**
+**Error message**
 
-Domain Services could not be enabled in this Azure AD tenant. The Microsoft Azure AD application is disabled in your Azure AD tenant. Enable the application with the application identifier 00000002-0000-0000-c000-000000000000 and then try to enable Domain Services for your Azure AD tenant.
+*Domain Services could not be enabled in this Azure AD tenant. The Microsoft Azure AD application is disabled in your Azure AD tenant. Enable the application with the application identifier 00000002-0000-0000-c000-000000000000 and then try to enable Domain Services for your Azure AD tenant.*
 
-**Resolution:**
+**Resolution**
 
-Check you've disabled an application with the identifier *00000002-0000-0000-c000-000000000000*. This application is the Microsoft Azure AD application and provides Graph API access to your Azure AD tenant. To synchronize your Azure AD tenant, this application must be enabled.
+Check if you've disabled an application with the identifier *00000002-0000-0000-c000-000000000000*. This application is the Microsoft Azure AD application and provides Graph API access to your Azure AD tenant. To synchronize your Azure AD tenant, this application must be enabled.
 
 To check the status of this application and enable it if needed, complete the following steps:
 
 1. In the Azure portal, select **Azure Active Directory** from the left-hand navigation menu.
-1. Select **Enterprise applications**. Choose *All applications* from the **Application Type* drop-down menu, then select **Apply**.
+1. Select **Enterprise applications**. Choose *All applications* from the **Application Type** drop-down menu, then select **Apply**.
 1. In the search box, enter *00000002-0000-0000-c000-00000000000*. Select the application, then choose **Properties**.
 1. If **Enabled for users to sign-in** is set to *No*, set the value to *Yes*, then select **Save**.
 1. Once you've enabled the application, try to enable Azure AD DS again.
@@ -124,12 +124,12 @@ To check the status of this application and enable it if needed, complete the fo
 
 If one or more users in your Azure AD tenant can't sign in to the Azure AD DS managed domain, complete the following troubleshooting steps:
 
-* **Credentials format** - Try using the UPN format to specify credentials, such as `[email protected]`. The UPN format is the recommended way to specify credentials in Azure AD DS. Make sure that this UPN is configured correctly in Azure AD.
+* **Credentials format** - Try using the UPN format to specify credentials, such as `[email protected]`. The UPN format is the recommended way to specify credentials in Azure AD DS. Make sure this UPN is configured correctly in Azure AD.
 
     The *SAMAccountName* for your account, such as *CONTOSO\driley* may be autogenerated if there are multiple users with the same UPN prefix in your tenant or if your UPN prefix is overly long. Therefore, the *SAMAccountName* format for your account may be different from what you expect or use in your on-premises domain.
 
 * **Password synchronization** - Make sure that you've enabled password synchronization for [cloud-only users][cloud-only-passwords] or for [hybrid environments using Azure AD Connect][hybrid-phs].
-    * **Hybrid synchronized accounts:** If the affected user accounts are synchronized from an on-premises directory, verify the following:
+    * **Hybrid synchronized accounts:** If the affected user accounts are synchronized from an on-premises directory, verify the following areas:
 
       * You've deployed or updated to the [latest recommended release of Azure AD Connect](https://www.microsoft.com/download/details.aspx?id=47594).
       * You've configured Azure AD Connect to [perform a full synchronization][hybrid-phs].
@@ -144,24 +144,24 @@ If one or more users in your Azure AD tenant can't sign in to the Azure AD DS ma
     * **Cloud-only accounts**: If the affected user account is a cloud-only user account, make sure that the [user has changed their password after you enabled Azure AD DS][cloud-only-passwords]. This password reset causes the required credential hashes for Azure AD Domain Services to be generated.
 
 * **Verify the user account is active**: By default, five invalid password attempts within 2 minutes on the managed domain cause a user account to be locked out for 30 minutes. The user can't sign in while the account is locked out. After 30 minutes, the user account is automatically unlocked.
-  * Invalid password attempts on the Azure AD DS managed domain don't lock out the user account in Azure AD. The user account is locked out only within the managed domain. Check the user account status in the Active Directory Administrative Console (ADAC) using the [management VM][management-vm], not in Azure AD.
+  * Invalid password attempts on the Azure AD DS managed domain don't lock out the user account in Azure AD. The user account is locked out only within the managed domain. Check the user account status in the *Active Directory Administrative Console (ADAC)* using the [management VM][management-vm], not in Azure AD.
   * You can also [configure fine grained password policies][password-policy] to change the default lockout threshold and duration.
 
 * **External accounts** - Check that the affected user account isn't an external account in the Azure AD tenant. Examples of external accounts include Microsoft accounts like `[email protected]` or user accounts from an external Azure AD directory. Azure AD DS doesn't store credentials for external user accounts so they can't sign in to the managed domain.
 
 ## There are one or more alerts on your managed domain
 
-If there are active alerts on the Azure AD DS managed domain, it may indicate there are issues that prevent the authentication process from working correctly. 
+If there are active alerts on the Azure AD DS managed domain, it may prevent the authentication process from working correctly.
 
 To see if there are any active alerts, [check the health status of an Azure AD DS managed domain][check-health]. If any alerts are shown, [troubleshoot and resolve them][troubleshoot-alerts].
 
 ## Users removed from your Azure AD tenant are not removed from your managed domain
 
-Azure AD protects you from accidental deletion of user objects. When you delete a user account from your Azure AD tenant, the corresponding user object is moved to the recycle bin. When this delete operation is synchronized to your Azure AD DS managed domain, it causes the corresponding user account to be marked disabled. This feature helps you recover or undelete the user account later.
+Azure AD protects against accidental deletion of user objects. When you delete a user account from an Azure AD tenant, the corresponding user object is moved to the recycle bin. When this delete operation is synchronized to your Azure AD DS managed domain, the corresponding user account is marked as disabled. This feature helps you recover, or undelete, the user account.
 
-The user account remains in the disabled state in your Azure AD DS managed domain, even if you re-create a user account with the same UPN in your Azure AD directory. To remove the user account from your Azure AD DS managed domain, you need to forcibly delete it from your Azure AD tenant.
+The user account remains in the disabled state in the Azure AD DS managed domain, even if you re-create a user account with the same UPN in the Azure AD directory. To remove the user account from the Azure AD DS managed domain, you need to forcibly delete it from the Azure AD tenant.
 
-To remove the user account fully from your managed domain, delete the user permanently from your Azure AD tenant. Use the [Remove-MsolUser][Remove-MsolUser] PowerShell cmdlet with the `-RemoveFromRecycleBin` parameter.
+To fully remove a user account from an Azure AD DS managed domain, delete the user permanently from your Azure AD tenant using the [Remove-MsolUser][Remove-MsolUser] PowerShell cmdlet with the `-RemoveFromRecycleBin` parameter.
 
 ## Next steps