Fixed last minute doc issues discovered in testing

haraldfianbakken · haraldfianbakken · commit 77bd8e88db72 · 2025-08-07T16:47:15.000-07:00
diff --git a/azure-local/manage/disconnected-operations-deploy.md b/azure-local/manage/disconnected-operations-deploy.md
@@ -239,6 +239,8 @@ To prepare the first machine for the disconnected operations appliance, follow t
 
     ```powershell  
     Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
+    Import-Module "$applianceConfigBasePath\OperationsModule\ExternalIdentityConfigurationModule.psm1" -Force
+
     $mgmntCertFolderPath = "$certspath\ManagementEndpointCerts"  
     $ingressCertFolderPath = "$certspath\IngressEndpointsCerts"  
     ```
@@ -289,8 +291,9 @@ Populate the required parameters based on your deployment planning. Modify the e
 1. Populate the identity configuration object.
 
     ```powershell  
-    $oidcCertChain = Get-CertificateChainFromEndpoint -endpoint 'https://adfs.azurestack.local'
-    $ldapsCertChain = Get-CertificateChainFromEndpoint -endpoint 'https://dc01.azurestack.local'
+    $oidcCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://adfs.azurestack.local/adfs'
+    # Omit ldapsCertChain in this preview release
+#    $ldapsCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://dc01.azurestack.local'
     $ldapPassword = 'RETRACTED'|ConvertTo-SecureString -AsPlainText -Force
 
     $identityParams = @{  
@@ -300,7 +303,6 @@ Populate the required parameters based on your deployment planning. Modify the e
         LdapServer = "adfs.azurestack.local"  
         LdapCredential = New-Object PSCredential -ArgumentList @("ldap", $ldapPassword)  
         SyncGroupIdentifier = "7d67fcd5-c2f4-4948-916c-b77ea7c2712f"  
-        LdapsCertChainInfo=$ldapsCertChainInfo  
         OidcCertChainInfo=$oidcCertChainInfo
     }  
     $identityConfiguration = New-ApplianceExternalIdentityConfiguration @identityParams  
@@ -350,7 +352,7 @@ $installAzureLocalParams = @{
     IdentityConfiguration = $identityConfiguration  
     CertificatesConfiguration = $CertificatesConfiguration  
     TimeoutSec = 7200  
-    DisableCheckSum = $false  
+    DisableCheckSum = $true  
     AutoScaleVMToHostHW = $false  
 }  
 
@@ -361,10 +363,12 @@ Install-Appliance @installAzureLocalParams -disconnectMachineDeploy -Verbose
 
 > [!NOTE]
 > Install the appliance on the first machine (seed node) to ensure Azure Local deploys correctly. The setup takes a few hours and must finish successfully before you move on. Once it’s complete, you have a local control plane running in your datacenter.
-
-If the installation fails because of incorrect network, identity, or observability settings, update the configuration object and run the `Install-appliance` command again.
-
-You can also specify the -clean switch to start installation from scratch. This switch resets any existing installation state and starts from the beginning
+>
+> If the installation fails because of incorrect network, identity, or observability settings, update the configuration object and run the `Install-appliance` command again.
+>
+> You can also specify the -clean switch to start installation from scratch. This switch resets any existing installation state and starts from the beginning
+>
+> DisableChecksum = $true will skip validating the signature of the Appliance. Use this when deploying an air-gapped environment in this release. If checksum validation is enabled - the node needs to be able to reach and validate the Microsoft cert signing certificates used for signing this build.  
 
 1. Modify the configuration object.
 
@@ -656,7 +660,9 @@ To use the management endpoint for troubleshooting and reconfiguration, you need
 From a client with network access to the management endpoint, import the **OperationsModule** and set the context (modify the script to match your configuration):
 
 ```powershell  
-Import-Module "C:\azurelocal\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force  
+Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
+Import-Module "$applianceConfigBasePath\OperationsModule\ExternalIdentityConfigurationModule.psm1" -Force
+
 $password = ConvertTo-SecureString 'RETRACTED' -AsPlainText -Force  
 $context = Set-DisconnectedOperationsClientContext -ManagementEndpointClientCertificatePath "${env:localappdata}\AzureLocalOpModuleDev\certs\ManagementEndpoint\ManagementEndpointClientAuth.pfx" -ManagementEndpointClientCertificatePassword $password -ManagementEndpointIpAddress "169.254.53.25"  
 ```  
diff --git a/azure-local/manage/disconnected-operations-known-issues.md b/azure-local/manage/disconnected-operations-known-issues.md
@@ -20,6 +20,11 @@ These release notes update continuously, and we add critical issues that need a
 
 ## Known issues in the preview release
 
+### Air-gapped deployment when local DNS forwards and resolves external domain requests
+There is a known issue if you try to deploy an air-gapped enviroment - in the rare condition you would have a local DNS server that is able to resolve public (Microsoft.com) endpoints. 
+
+Mitigation: Disable DNS forwarding for microsoft.com and azure.com zones. The appliance should not be able to resolve these DNS endpoint and will fail if it receives an IP address. 
+
 ### Azure Local deployment with Azure Keyvault
 
 Role-Based Access Control (RBAC) permissions on a newly created Azure Key Vault can take up to 20 minutes to propagate. If you create the Azure Key Vault in the local portal and try to finish the cloud deployment, you might run into permission issues when validating the cluster before deployment.
diff --git a/azure-local/manage/disconnected-operations-pki.md b/azure-local/manage/disconnected-operations-pki.md
@@ -314,8 +314,12 @@ You have a helper method in the **OperationsModule** that can help you populate
 Here's an example on how to populate the required parameters:
 
 ```powershell
-$oidcCertChain = Get-CertificateChainFromEndpoint -endpoint 'https://adfs.azurestack.local'
-$ldapsCertChain = Get-CertificateChainFromEndpoint -endpoint 'https://dc01.azurestack.local'
+Import-Module "$applianceConfigBasePath\OperationsModule\Azure.Local.DisconnectedOperations.psd1" -Force
+Import-Module "$applianceConfigBasePath\OperationsModule\ExternalIdentityConfigurationModule.psm1" -Force
+
+$oidcCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://adfs.azurestack.local/adfs'
+# Omit LDAPSCertChain in this preview releases
+# $ldapsCertChain = Get-CertificateChainFromEndpoint -requestUri 'https://dc01.azurestack.local'
 ```
 
 Here's an example of the output from Get-CertificateChainFromEndpoint
