Sync release-ash-2501 with main

sethmanheim · web-flow · commit 8bc18d5cfdcb · 2025-02-05T11:45:16.000-08:00
diff --git a/adaptive-cloud/breadcrumb/adaptive-cloud/toc.yml b/adaptive-cloud/breadcrumb/adaptive-cloud/toc.yml
diff --git a/adaptive-cloud/breadcrumb/toc.yml b/adaptive-cloud/breadcrumb/toc.yml
@@ -1,11 +1,7 @@
-- name: Docs
-  tocHref: /
-  topicHref: /
+- name: Adaptive Cloud documentation
+  tocHref: /azure/adaptive-cloud/
+  topicHref: /azure/adaptive-cloud/index
   items:
-  - name: Hybrid and multicloud
-    tocHref: /hybrid/
-    topicHref: /hybrid/
-    items:
-    - name: App solutions
-      tocHref: /hybrid/app-solutions/
-      topicHref: /hybrid/app-solutions/index
+  - name: Azure hybrid and multicloud patterns and solutions documentation
+    tocHref: /azure/adaptive-cloud/app-solutions/
+    topicHref: /azure/adaptive-cloud/app-solutions/index
diff --git a/adaptive-cloud/docfx.json b/adaptive-cloud/docfx.json
@@ -41,7 +41,7 @@
     "externalReference": [],
     "globalMetadata": {
       "uhfHeaderId": "Azure",
-      "breadcrumb_path": "~/breadcrumb/adaptive-cloud/toc.yml",
+      "breadcrumb_path": "/azure/adaptive-cloud/breadcrumb/toc.json",
       "feedback_system": "Standard",
       "manager":"femila",
       "ms.service": "azure-stack",
diff --git a/azure-local/deploy/deployment-prep-active-directory.md b/azure-local/deploy/deployment-prep-active-directory.md
@@ -3,7 +3,7 @@ title: Prepare Active Directory for Azure Local, version 23H2 deployment
 description: Learn how to prepare Active Directory before you deploy Azure Local, version 23H2.
 author: alkohli
 ms.topic: how-to
-ms.date: 11/25/2024
+ms.date: 02/05/2025
 ms.author: alkohli
 ms.reviewer: alkohli
 ms.service: azure-local
@@ -24,17 +24,15 @@ Active Directory requirements for Azure Local include:
 
 > [!NOTE]
 > - You can use your existing process to meet the above requirements. The script used in this article is optional and is provided to simplify the preparation.
-> - When group policy inheritance is blocked at the OU level, enforced GPO's aren't blocked. Ensure that any applicable GPO, which are enforced, are also blocked using other methods, for example, using [WMI Filters](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/fun-with-wmi-filters-in-group-policy/ba-p/395648).
+> - When group policy inheritance is blocked at the OU level, GPOs with enforced option enabled aren't blocked. If applicable, ensure that these GPOs are blocked using other methods, for example using a [Windows Management Instrumentation (WMI) Filter](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/fun-with-wmi-filters-in-group-policy/ba-p/395648). Apply the WMI filter to any enforced GPOs, to exclude machine computer accounts for your Azure Local instances from applying the GPOs. Once the filter is applied, enforced GPOs won't apply, based on the logic defined in the WMI filter.
 
 To manually assign the required permissions for Active Directory, create an OU, and block GPO inheritance, see
 [Custom Active Directory configuration for your Azure Local, version 23H2](../plan/configure-custom-settings-active-directory.md).
 
 ## Prerequisites
 
-Before you begin, make sure you've done the following:
-
-- Satisfy the [prerequisites](./deployment-prerequisites.md) for new deployments of Azure Local.
-- [Download and install the version 2402 module from the PowerShell Gallery](https://www.powershellgallery.com/packages/AsHciADArtifactsPreCreationTool/10.2402). Run the following command from the folder where the module is located:
+- Complete the [prerequisites](./deployment-prerequisites.md) for new deployments of Azure Local.
+- Install version 2402 of the ['AsHciADArtifactsPreCreationTool'](https://www.powershellgallery.com/packages/AsHciADArtifactsPreCreationTool/10.2402) module. Run the following command to install the module from PowerShell Gallery:
 
     ```powershell
     Install-Module AsHciADArtifactsPreCreationTool -Repository PSGallery -Force
@@ -43,7 +41,7 @@ Before you begin, make sure you've done the following:
     > [!NOTE]
     > Make sure to uninstall any previous versions of the module before installing the new version.
 
-- You have obtained permissions to create an OU. If you don't have permissions, contact your Active Directory administrator.
+- You require permissions to create an OU. If you don't have permissions, contact your Active Directory administrator.
 
 - If you have a firewall between your Azure Local system and Active Directory, ensure that the proper firewall rules are configured. For specific guidance, see [Firewall requirements for Active Directory Web Services and Active Directory Gateway Management Service](../concepts/firewall-requirements.md). See also [How to configure a firewall for Active Directory domains and trusts](/troubleshoot/windows-server/active-directory/config-firewall-for-ad-domains-and-trusts#windows-server-2008-and-later-versions).
 
@@ -53,13 +51,12 @@ The `New-HciAdObjectsPreCreation` cmdlet of the AsHciADArtifactsPreCreationTool
 
 |Parameter|Description|
 |--|--|
-|`-AzureStackLCMUserCredential`|A new user object that is created with the appropriate permissions for deployment. This account is the same as the user account used by the Azure Stack HCI deployment.<br> Make sure that only the username is provided. The name should not include the domain name, for example, `contoso\username`.<br>The password must conform to the length and complexity requirements. Use a password that is at least 12 characters long. The password must also contain three out of the four requirements: a lowercase character, an uppercase character, a numeral, and  a special character.<br>For more information, see [password complexity requirements](/azure/active-directory-b2c/password-complexity?pivots=b2c-user-flow).<br> The name cannot be exactly the same as the local admin user. <br> The name can use *admin* as the username.|
-|`-AsHciOUName`|A new Organizational Unit (OU) to store all the objects for the Azure Stack HCI deployment. Existing group policies and inheritance are blocked in this OU to ensure there's no conflict of settings. The OU must be specified as the distinguished name (DN). For more information, see the format of [Distinguished Names](/previous-versions/windows/desktop/ldap/distinguished-names).|
-
+|`-AzureStackLCMUserCredential`|A new user object that is created with the appropriate permissions for deployment. This account is the same as the user account used by the Azure Local deployment.<br> Make sure that only the username is provided. The name shouldn't include the domain name, for example, `contoso\username`.<br>The password must conform to the length and complexity requirements. Use a password that is at least 12 characters long. The password must also contain three out of the four requirements: a lowercase character, an uppercase character, a numeral, and  a special character.<br>For more information, see [password complexity requirements](/azure/active-directory-b2c/password-complexity?pivots=b2c-user-flow).<br> The name can't be exactly the same as the local admin user. <br> The name can use *admin* as the username.|
+|`-AsHciOUName`|A new Organizational Unit (OU) to store all the objects for the Azure Local deployment. Existing group policies and inheritance are blocked in this OU to ensure there's no conflict of settings. The OU must be specified as the distinguished name (DN). For more information, see the format of [Distinguished Names](/previous-versions/windows/desktop/ldap/distinguished-names).|
 
 > [!NOTE]
 > - The `-AsHciOUName` path doesn't support the following special characters anywhere within the path: `&,",',<,>`.
-> - Moving the computer objects to a different OU after the deployment is complete is also not supported.
+> - After the deployment is complete, moving the computer objects to a different OU isn't supported.
 
 ## Prepare Active Directory
 
@@ -75,30 +72,43 @@ To create a dedicated OU, follow these steps:
     New-HciAdObjectsPreCreation -AzureStackLCMUserCredential (Get-Credential) -AsHciOUName "<OU name or distinguished name including the domain components>"
 
 1. When prompted, provide the username and password for the deployment.
-    
-    1. Make sure that only the username is provided. The name should not include the domain name, for example, `contoso\username`. **Username must be between 1 to 64 characters and only contain letters, numbers, hyphens, and underscores and may not start with a hyphen or number.**
-    1. Make sure that the password meets complexity and length requirements. **Use a password that is at least 12 characters long and contains: a lowercase character, an uppercase character, a numeral, and  a special character.** 
 
+    1. Make sure that only the username is provided. The name shouldn't include the domain name, for example, `contoso\username`. **Username must be between 1 to 64 characters and only contain letters, numbers, hyphens, and underscores and may not start with a hyphen or number.**
+    1. Make sure that the password meets complexity and length requirements. **Use a password that is at least 12 characters long and contains: a lowercase character, an uppercase character, a numeral, and  a special character.**
 
-    Here is a sample output from a successful completion of the script:
+    Here's a sample output from a successful completion of the script:
 
-    ```
+    ```powershell
     PS C:\work> $password = ConvertTo-SecureString '<password>' -AsPlainText -Force
     PS C:\work> $user = "ms309deployuser"
     PS C:\work> $credential = New-Object System.Management.Automation.PSCredential ($user, $password)
     PS C:\work> New-HciAdObjectsPreCreation -AzureStackLCMUserCredential $credential -AsHciOUName "OU=ms309,DC=PLab8,DC=nttest,DC=microsoft,DC=com"    
     PS C:\work>
     ```
 
-1. Verify that the OU is created.  If using a Windows Server client, go to **Server Manager > Tools > Active Directory Users and Computers**.
+1. Verify that the OU is created. If using a Windows Server client, go to **Server Manager > Tools > Active Directory Users and Computers**.
 
-1. An OU with the specified name should be created and within that OU, you'll see the deployment user.
+1. An OU with the specified name is created. This OU contains the new LCM deployment user account.
 
     :::image type="content" source="media/deployment-prep-active-directory/active-directory-11.png" alt-text="Screenshot of Active Directory Computers and Users window." lightbox="media/deployment-prep-active-directory/active-directory-11.png":::
 
-
 > [!NOTE]
-> If you are repairing a single machine, do not delete the existing OU. If the machine volumes are encrypted, deleting the OU removes the BitLocker recovery keys.
+> If you're repairing a single machine, don't delete the existing OU. If the machine volumes are encrypted, deleting the OU removes the BitLocker recovery keys.
+
+## Considerations for large scale deployments
+
+The Lifecycle Manager (LCM) user account is utilized during Azure Local instance deployments that use Active Directory (AD), or for any add-node/repair operations for existing instances. The LCM user account is responsible for performing domain join actions, which necessitates the LCM user identity having delegated permissions to add computer accounts to the target Organizational Unit (OU) in the on-premises domain. During the deployment of Azure Local, the LCM user account is added to the local administrators' group of the physical machines.
+
+To mitigate the risk of a compromised LCM user account credential, we advise that for each Azure Local instance, you have a dedicated LCM user account with a unique password.
+
+We recommend that you follow these best practices for OU creation:
+
+- For each Azure Local instance, create an individual OU within Active Directory. This approach helps manage computer account, CNO, LCM user account, and physical machine computer accounts within the scope of a single OU for each instance.
+- When deploying multiple instances at-scale, for easier management:
+  - Create an OU under a single parent OU for each instance.
+  - Disable GPO inheritance at the parent OU level.
+
+The preceding recommendations are automated, when you use the `New-HciAdObjectsPreCreation` cmdlet to [Prepare Active Directory](#active-directory-preparation-module).
 
 ## Next steps
 
diff --git a/azure-local/manage/gpu-manage-via-partitioning.md b/azure-local/manage/gpu-manage-via-partitioning.md
@@ -5,16 +5,14 @@ author: alkohli
 ms.author: alkohli
 ms.topic: how-to
 ms.service: azure-local
-ms.date: 10/21/2024
+ms.date: 02/04/2024
 ---
 
 # Manage GPUs using partitioning (preview)
 
 [!INCLUDE [hci-applies-to-23h2](../includes/hci-applies-to-23h2.md)]
 
-This article describes how to manage GPU-P with Arc virtual machines (VMs) for Azure Local. For using GPU-P management on AKS enabled by Azure Arc, see [Use GPUs for compute-intensive workloads](/azure/aks/hybrid/deploy-gpu-node-pool#create-a-new-workload-cluster-with-a-gpu-enabled-node-pool).
-
-GPU Partitioning (GPU-P) allows you to share a graphical processing unit (GPU) with multiple workloads by splitting the GPU into dedicated fractional partitions.
+This article describes how to manage GPU-P with Arc virtual machines (VMs) for Azure Local. GPU Partitioning (GPU-P) allows you to share a graphical processing unit (GPU) with multiple workloads by splitting the GPU into dedicated fractional partitions.
 
 > [!IMPORTANT]
 > This feature is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
@@ -103,4 +101,4 @@ For more information on the GPU attach command, see [az stack-hci-vm gpu](/cli/a
 
 ## Next steps
 
-- [Manage GPUs using Discrete Device Assignment](./gpu-manage-via-device.md)
+- [Manage GPUs using Discrete Device Assignment](./gpu-manage-via-device.md)
