Task 29294035

b-ahibbard · b-ahibbard · commit f5ef36369a48 · 2024-09-04T13:54:37.000-04:00
diff --git a/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md b/articles/azure-netapp-files/understand-guidelines-active-directory-domain-service-site.md
@@ -29,7 +29,7 @@ Azure NetApp Files supports identity-based authentication over SMB through the f
 
 ### <a name="network-requirements"></a>Network requirements 
 
-For predictable Active Directory Domain Services operations with Azure NetApp Files volumes, reliable and low-latency network connectivity (equal to or less than 10 ms RTT) to AD DS domain controllers is highly recommended. Poor network connectivity or high network latency between Azure NetApp Files and AD DS domain controllers can cause client access interruptions or client timeouts.
+For predictable Active Directory Domain Services operations with Azure NetApp Files volumes, reliable and low-latency network connectivity (equal to or less than 10 milliseconds [ms] roundtrip time [RTT]) to AD DS domain controllers is highly recommended. Poor network connectivity or high network latency between Azure NetApp Files and AD DS domain controllers can cause client access interruptions or client timeouts.
 
 >[!NOTE]
 >The 10ms recommendation adheres to guidance in [Creating a Site Design: Deciding which locations will become sites](/windows-server/identity/ad-ds/plan/creating-a-site-design#deciding-which-locations-will-become-sites).
@@ -42,7 +42,7 @@ Ensure that you meet the following requirements about network topology and confi
 * Network Security Groups (NSGs) and AD DS domain controller firewalls must have appropriately configured rules to support Azure NetApp Files connectivity to AD DS and DNS.
 * For optimal experience, ensure the network latency is equal to or less than 10ms RTT between Azure NetApp Files and AD DS domain controllers. Any RTT higher than 10ms can lead to degraded application or user experience in latency-sensitive applications/environments. In case RTT is too high for desirable user experience, consider deploying replica domain controllers in your Azure NetApp Files environment. Also see [Active Directory Domain Services considerations](#active-directory-domain-services-considerations).
 
-For more information on Microsoft Active Directory requirements for network latency over a WAN, see
+For more information on Microsoft Active Directory requirements for network latency over a wide-area network, see
 [Creating a Site Design](/windows-server/identity/ad-ds/plan/creating-a-site-design).
 
 The required network ports are as follows:
@@ -55,7 +55,7 @@ The required network ports are as follows:
 | NetBIOS Datagram Service | 138 | UDP |
 | NetBIOS | 139 | UDP | 
 | LDAP** | 389 | TCP, UDP | 
-| SAM/LSA/SMB | 445 | TCP, UDP |
+| Security Account Manager (SAM)/Local Security Authority (LSA)/SMB | 445 | TCP, UDP |
 | Kerberos (kpasswd) | 464 | TCP, UDP |
 | Active Directory Global Catalog | 3268 | TCP |
 | Active Directory Secure Global Catalog | 3269 | TCP |
@@ -134,9 +134,9 @@ Azure NetApp Files uses the **AD Site Name** configured in the [Active Directory
 
 #### AD DS domain controller discovery
 
-Azure NetApp Files initiates domain controller discovery every four hours. Azure NetApp Files queries the site-specific DNS service (SRV) resource record to determine which domain controllers are in the AD DS site specified in the **AD Site Name** field of the Azure NetApp Files AD connection. Azure NetApp Files domain controller server discovery checks the status of the services hosted on the domain controllers (such as Kerberos, LDAP, Net Logon, and LSA) and selects the optimal domain controller for authentication requests.
+Azure NetApp Files initiates domain controller discovery every four hours. Azure NetApp Files queries the site-specific DNS service resource (SRV) record to determine which domain controllers are in the AD DS site specified in the **AD Site Name** field of the Azure NetApp Files AD connection. Azure NetApp Files domain controller server discovery checks the status of the services hosted on the domain controllers (such as Kerberos, LDAP, Net Logon, and LSA) and selects the optimal domain controller for authentication requests.
 
-The DNS service (SRV) resource records for the AD DS site specified in the AD Site name field of the Azure NetApp Files AD connection must contain the list of IP addresses for the AD DS domain controllers that will be used by Azure NetApp Files. You can check the validity of the DNS (SRV) resource record by using the `nslookup` utility. 
+The DNS SRV records for the AD DS site specified in the AD Site name field of the Azure NetApp Files AD connection must contain the list of IP addresses for the AD DS domain controllers that will be used by Azure NetApp Files. You can check the validity of the DNS SRV record by using the `nslookup` utility. 
 
 > [!NOTE]
 > If you make changes to the domain controllers in the AD DS site that is used by Azure NetApp Files, wait at least four hours between deploying new AD DS domain controllers and retiring existing AD DS domain controllers. This wait time enables Azure NetApp Files to discover the new AD DS domain controllers.
@@ -145,7 +145,7 @@ Ensure that stale DNS records associated with the retired AD DS domain controlle
 
 #### <a name="ad-ds-ldap-discover"></a> AD DS LDAP server discovery
 
-A separate discovery process for AD DS LDAP servers occurs when LDAP is enabled for an Azure NetApp Files NFS volume. When the LDAP client is created on Azure NetApp Files, Azure NetApp Files queries the AD DS domain service (SRV) resource record for a list of all AD DS LDAP servers in the domain and not the AD DS LDAP servers assigned to the AD DS site specified in the AD connection.
+A separate discovery process for AD DS LDAP servers occurs when LDAP is enabled for an Azure NetApp Files NFS volume. When the LDAP client is created on Azure NetApp Files, Azure NetApp Files queries the AD DS SRV record for a list of all AD DS LDAP servers in the domain and not the AD DS LDAP servers assigned to the AD DS site specified in the AD connection.
 
 In large or complex AD DS topologies, you might need to implement [DNS Policies](/windows-server/networking/dns/deploy/dns-policies-overview) or [DNS subnet prioritization](/previous-versions/windows/it-pro/windows-2000-server/cc961422(v=technet.10)?redirectedfrom=MSDN) to ensure that the AD DS LDAP servers assigned to the AD DS site specified in the AD connection are returned.
 
@@ -165,7 +165,7 @@ Azure NetApp Files uses the AD DS Site to discover the domain controllers and su
 
 If Azure NetApp Files is not able to reach any domain controllers assigned to the AD DS site, the domain controller discovery process will query the AD DS domain for a list of all domain controllers. The list of domain controllers returned from this query is an unordered list. As a result, Azure NetApp Files may try to use domain controllers that are not reachable or well-connected, which can cause volume creation failures, problems with client queries, authentication failures, and failures to modify Azure NetApp Files AD connections.
 
-You must update the AD DS Site configuration whenever new domain controllers are deployed into a subnet assigned to the AD DS site that is used by the Azure NetApp Files AD Connection. Ensure that the DNS SRV records for the site reflect any changes to the domain controllers assigned to the AD DS Site used by Azure NetApp Files. You can check the validity of the DNS (SRV) resource record by using the `nslookup` utility.
+You must update the AD DS Site configuration whenever new domain controllers are deployed into a subnet assigned to the AD DS site that is used by the Azure NetApp Files AD Connection. Ensure that the DNS SRV records for the site reflect any changes to the domain controllers assigned to the AD DS Site used by Azure NetApp Files. You can check the validity of the DNS SRV resource record by using the `nslookup` utility.
 
 > [!NOTE]
 > Azure NetApp Files doesn't support the use of AD DS Read-only Domain Controllers (RODC). To prevent Azure NetApp Files from using an RODC, do not configure the **AD Site Name** field of the AD connections with an RODC. Writeable domain controllers are supported and are required for authentication with Azure NetApp Files volumes. For more information, see [Active Directory Replication Concepts](/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts).
@@ -175,7 +175,7 @@ You must update the AD DS Site configuration whenever new domain controllers are
 An AD DS site topology is a logical representation of the network where Azure NetApp Files is deployed. In this section, the sample configuration scenario for AD DS site topology intends to show a _basic_ AD DS site design for Azure NetApp Files. It is not the only way to design network or AD site topology for Azure NetApp Files. 
 
 > [!IMPORTANT]
-> For scenarios that involve complex AD DS or complex network topologies, you should have a Microsoft Azure CSA review the Azure NetApp Files networking and AD Site design.  
+> For scenarios that involve complex AD DS or complex network topologies, you should have a Microsoft Azure cloud solutions architect CSA review the Azure NetApp Files networking and AD Site design.  
 
 The following diagram shows a sample network topology:
 sample-network-topology.png
@@ -187,19 +187,17 @@ The Azure virtual network has four subnets: Gateway Subnet, Azure Bastion Subnet
 
 Azure NetApp Files can only use one AD DS site to determine which domain controllers will be used for authentication, LDAP queries, and Kerberos. In the sample scenario, two subnet objects are created and assigned to a site called `ANF` using the Active Directory Sites and Services utility. One subnet object is mapped to the AD DS subnet, 10.0.0.0/24, and the other subnet object is mapped to the ANF delegated subnet, 10.0.2.0/24.
 
-In the Active Directory Sites and Services tool, verify that the AD DS domain controllers deployed into the AD DS subnet are assigned to the `ANF` site: 
+In the Active Directory Sites and Services tool, verify that the AD DS domain controllers deployed into the AD DS subnet are assigned to the `ANF` site. 
 
-:::image type="content" source="./media/understand-guidelines-active-directory-domain-service-site/active-directory-servers.png" alt-text="Screenshot of the Active Directory Sites and Services window with a red box drawing attention to the ANF > Servers directory." lightbox="./media/understand-guidelines-active-directory-domain-service-site/active-directory-servers.png":::
+:::image type="content" source="./media/understand-guidelines-active-directory-domain-service-site/active-directory-servers.png" alt-text="Screenshot of the Active Directory Sites and Services window with a red box drawing attention to the newly created site." lightbox="./media/understand-guidelines-active-directory-domain-service-site/active-directory-servers.png":::
 
-To create the subnet object that maps to the AD DS subnet in the Azure virtual network, right-click the **Subnets** container in the **Active Directory Sites and Services** utility and select **New Subnet...**.
- 
-In the **New Object - Subnet** dialog, the 10.0.0.0/24 IP address range for the AD DS Subnet is entered in the **Prefix** field. Select `ANF` as the site object for the subnet. Select **OK** to create the subnet object and assign it to the `ANF` site.
+If they aren't assigned, create the subnet object that maps to the AD DS subnet in the Azure virtual network. Right-click the **Subnets** container in the **Active Directory Sites and Services** utility and select **New Subnet...**. In the **New Object - Subnet** dialog, the 10.0.0.0/24 IP address range for the AD DS Subnet is entered in the **Prefix** field. Select `ANF` as the site object for the subnet. Select **OK** to create the subnet object and assign it to the `ANF` site.
 
-:::image type="content" source="./media/understand-guidelines-active-directory-domain-service-site/new-object-subnet-menu.png" alt-text="Screenshot of the New Object – Subnet menu." lightbox="./media/understand-guidelines-active-directory-domain-service-site/new-object-subnet-menu.png":::
+:::image type="content" source="./media/understand-guidelines-active-directory-domain-service-site/new-object-subnet-menu.png" alt-text="Screenshot of the New Object – Subnet window." lightbox="./media/understand-guidelines-active-directory-domain-service-site/new-object-subnet-menu.png":::
 
 To verify that the new subnet object is assigned to the correct site, right-click the 10.0.0.0/24 subnet object and select **Properties**. The **Site** field should show the `ANF` site object:
 
-:::image type="content" source="./media/understand-guidelines-active-directory-domain-service-site/properties-menu.png" alt-text="Screenshot of the properties menu with a red box surrounding the site field that reads 'ANF'." lightbox="./media/understand-guidelines-active-directory-domain-service-site/properties-menu.png":::
+:::image type="content" source="./media/understand-guidelines-active-directory-domain-service-site/properties-menu.png" alt-text="Screenshot of the subnet properties window with a red box surrounding the site field that reads 'ANF' with its associated network prefix." lightbox="./media/understand-guidelines-active-directory-domain-service-site/properties-menu.png":::
 
 To create the subnet object that maps to the Azure NetApp Files delegated subnet in the Azure virtual network, right-click the **Subnets** container in the **Active Directory Sites and Services** utility and select **New Subnet...**.
 
