MicrosoftDocs · v-alje · Mar 1, 2018 · Dec 18, 2017 · Feb 17, 2018 · Feb 20, 2018
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
@@ -1718,6 +1718,11 @@
             "redirect_url": "/azure/automation",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/automation/automation-vm-change-tracking.md",
+            "redirect_url": "/azure/automation/automation-change-tracking",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/automation/automation-azure-vm-alert-integration.md",
             "redirect_url": "/azure/automation/automation-create-alert-triggered-runbook",
@@ -4818,6 +4823,11 @@
             "redirect_url": "/azure/log-analytics/log-analytics-data-security",
             "redirect_document_id": false
         },
+        {
+            "source_path": "articles/log-analytics/log-analytics-change-tracking.md",
+            "redirect_url": "/azure/automation/automation-change-tracking",
+            "redirect_document_id": false
+        },
         {
             "source_path": "articles/log-analytics/log-analytics-configuration-assessment.md",
             "redirect_url": "/azure/log-analytics/log-analytics-add-solutions",

diff --git a/...s/active-directory-b2c/active-directory-b2c-reference-language-customization.md b/...s/active-directory-b2c/active-directory-b2c-reference-language-customization.md
diff --git a/articles/active-directory-domain-services/TOC.md b/articles/active-directory-domain-services/TOC.md
@@ -22,6 +22,7 @@
 ## [Check a managed domain's health](active-directory-ds-check-health.md)
 ## [Use Azure AD Domain Services in Azure CSP subscriptions](active-directory-ds-csp.md)
 ## [Enable Azure AD Domain Services using PowerShell](active-directory-ds-enable-using-powershell.md)
+## [Check your domain's health](active-directory-ds-check-health.md)
 ## Join a managed domain
 ### [Windows Server VM](active-directory-ds-admin-guide-join-windows-vm-portal.md)
 ### [Windows Server VM from template](active-directory-ds-join-windows-vm-template.md)
@@ -32,7 +33,6 @@
 ## Administer a managed domain
 ### [Administer a managed domain](active-directory-ds-admin-guide-administer-domain.md)
 ### [Administer DNS on a managed domain](active-directory-ds-admin-guide-administer-dns.md)
-
 ### Configure secure LDAP for a managed domain
 #### [Task 1: obtain a certificate for secure LDAP](active-directory-ds-admin-guide-configure-secure-ldap.md)
 #### [Task 2: export the secure LDAP certificate](active-directory-ds-admin-guide-configure-secure-ldap-export-pfx.md)

diff --git a/...les/active-directory-domain-services/active-directory-ds-troubleshoot-alerts.md b/...les/active-directory-domain-services/active-directory-ds-troubleshoot-alerts.md
@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 02/05/2018
+ms.date: 02/28/2018
 ms.author: ergreenl
 
 ---
@@ -31,6 +31,13 @@ Pick the troubleshooting steps that correspond to or alert ID or message you enc
 | AADDS102 | *A Service Principal required for Azure AD Domain Services to function properly has been deleted from your Azure AD directory. This configuration impacts Microsoft's ability to monitor, manage, patch, and synchronize your managed domain.* | [Missing Service Principal](active-directory-ds-troubleshoot-service-principals.md) |
 | AADDS103 | *The IP address range for the virtual network in which you have enabled Azure AD Domain Services is in a public IP range. Azure AD Domain Services must be enabled in a virtual network with a private IP address range. This configuration impacts Microsoft's ability to monitor, manage, patch and synchronize your managed domain.* | [Address is in a public IP range](#aadds103-address-is-in-a-public-ip-range) |
 | AADDS104 | *Microsoft is unable to reach the domain controllers for this managed domain. This may happen if a network security group (NSG) configured on your virtual network blocks access to the managed domain. Another possible reason is if there is a user defined route that blocks incoming traffic from the internet.* | [Network Error](active-directory-ds-troubleshoot-nsg.md) |
+| AADDS500 | *The managed domain was last synchronized with Azure AD on {0}. Users may be unable to sign-in on the managed domain or group memberships may not be in sync with Azure AD.* | [Synchronization hasn't happened in a while](#aadds500-synchronization-has-not-completed-in-a-while) |
+| AADDS501 | *The managed domain was last backed up on XX.* | [A backup hasn't been taken in a while](#aadds501-a-backup-has-not-been-taken-in-a-while) |
+| AADDS502 | *The secure LDAP certificate for the managed domain will expire on XX.* | [Expiring secure LDAP certificate](active-directory-ds-troubleshoot-ldaps.md#aadds502-secure-ldap-certificate-expiring) |
+| AADDS503 | *The managed domain is suspended because the Azure subscription associated with the domain is not active.* | [Suspension due to disabled subscription](#aadds503-suspension-due-to-disabled-subscription) |
+| AADDS504 | *The managed domain is suspended due to an invalid configuration. The service has been unable to manage, patch, or update the domain controllers for your managed domain for a long time.* | [Suspension due to an invalid configuration](#aadds504-suspension-due-to-an-invalid-configuration) |
+
+
 
 ## AADDS100: Missing directory
 **Alert message:**
@@ -72,7 +79,7 @@ To restore your service, follow these steps:
 
 Before you begin, read the **private IP v4 address space** section in [this article](https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces).
 
-Inside the virtual network, machines may make requests to Azure resources that are in the same IP address range as those configured for the subnet. However, since the virtual network is configured for this range, those requests will be routed within the virtual network and will not reach the intended web resources. This can lead to unpredictable errors with Azure AD Domain Services.
+Inside the virtual network, machines may make requests to Azure resources that are in the same IP address range as those configured for the subnet. However, since the virtual network is configured for this range, those requests will be routed within the virtual network and will not reach the intended web resources. This configuration can lead to unpredictable errors with Azure AD Domain Services.
 
 **If you own the IP address range in the internet that is configured in your virtual network, this alert can be ignored. However, Azure AD Domain Services cannot commit to the [SLA](https://azure.microsoft.com/support/legal/sla/active-directory-ds/v1_0/)] with this configuration since it can lead to unpredictable errors.**
 
@@ -90,6 +97,47 @@ Inside the virtual network, machines may make requests to Azure resources that a
 4. To domain-join your virtual machines to your new domain, follow [this guide](active-directory-ds-admin-guide-join-windows-vm-portal.md).
 8. To ensure the alert is resolved, check your domain's health in two hours.
 
+## AADDS500: Synchronization has not completed in a while
+
+**Alert message:**
+
+*The managed domain was last synchronized with Azure AD on {0}. Users may be unable to sign-in on the managed domain or group memberships may not be in sync with Azure AD.*
+
+**Remediation:**
+
+[Check your domain's health](active-directory-ds-check-health.md) for any alerts that might indicate problems in your configuration of your managed domain. Sometimes, problems with your configuration can block Microsoft's ability to synchronize your managed domain. If you are able to resolve any alerts, wait two hours and check back to see if the synchronization has completed.
+
+
+## AADDS501: A backup has not been taken in a while
+
+**Alert message:**
+
+*The managed domain was last backed up on XX.*
+
+**Remediation:**
+
+[Check your domain's health](active-directory-ds-check-health.md) for any alerts that might indicate problems in your configuration of your managed domain. Sometimes, problems with your configuration can block Microsoft's ability to synchronize your managed domain. If you are able to resolve any alerts, wait two hours and check back to see if the synchronization has completed.
+
+
+## AADDS503: Suspension due to disabled subscription
+
+**Alert message:**
+
+*The managed domain is suspended because the Azure subscription associated with the domain is not active.*
+
+**Remediation:**
+
+To restore your service, [renew your Azure subscription](https://docs.microsoft.com/en-us/azure/billing/billing-subscription-become-disable) associated with your managed domain.
+
+## AADDS504: Suspension due to an invalid configuration
+
+**Alert message:**
+
+*The managed domain is suspended due to an invalid configuration. The service has been unable to manage, patch, or update the domain controllers for your managed domain for a long time.*
+
+**Remediation:**
+
+[Check your domain's health](active-directory-ds-check-health.md) for any alerts that might indicate problems in your configuration of your managed domain. If you can resolve any of these alerts, do so. After, contact support to re-enable your subscription.
 
 ## Contact us
 Contact the Azure Active Directory Domain Services product team to [share feedback or for support](active-directory-ds-contact-us.md).
diff --git a/...cles/active-directory-domain-services/active-directory-ds-troubleshoot-ldaps.md b/...cles/active-directory-domain-services/active-directory-ds-troubleshoot-ldaps.md
@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 02/02/2018
+ms.date: 02/21/2018
 ms.author: ergreenl
 
 ---
@@ -49,5 +49,15 @@ When secure LDAP is enabled, we recommend creating additional rules to allow inb
 > Port 636 is not the only rule needed for Azure AD Domain Services to run smoothly. To learn more, visit the [Networking guidelines](active-directory-ds-networking.md) or [Troubleshoot NSG configuration](active-directory-ds-troubleshoot-nsg.md) articles.
 >
 
+## AADDS502: Secure LDAP certificate expiring
+
+**Alert message:**
+
+*The secure LDAP certificate for the managed domain will expire on XX.*
+
+**Remediation:**
+
+Create a new secure LDAP certificate by following the steps outlined in the [Configure secure LDAP](active-directory-ds-admin-guide-configure-secure-ldap.md) article.
+
 ## Contact us
 Contact the Azure Active Directory Domain Services product team to [share feedback or for support](active-directory-ds-contact-us.md).
diff --git a/articles/active-directory-domain-services/active-directory-ds-troubleshoot-nsg.md b/articles/active-directory-domain-services/active-directory-ds-troubleshoot-nsg.md
@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 02/12/2018
+ms.date: 03/01/2018
 ms.author: ergreenl
 
 ---
@@ -55,7 +55,7 @@ Follow the instructions to [install the Azure PowerShell module and connect to y
 > We recommend using the latest version of the Azure PowerShell module. If you already have an older version of the Azure PowerShell module installed, update to the latest version.
 >
 
-Use the following steps to create a new NSG using PowerShell. 
+Use the following steps to create a new NSG using PowerShell.
 1. Log in to your Azure subscription.
 
   ```PowerShell
@@ -67,33 +67,34 @@ Use the following steps to create a new NSG using PowerShell.
 
   ```PowerShell
   # Allow inbound HTTPS traffic to enable synchronization to your managed domain.
-  $SyncRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowSyncWithAzureAD `
-  -Description "Allow synchronization with Azure AD" `
+  $SyncRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowSyncWithAzureAD -Description "Allow synchronization with Azure AD" `
   -Access Allow -Protocol Tcp -Direction Inbound -Priority 101 `
   -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
   -DestinationPortRange 443
 
   # Allow management of your domain over port 5986 (PowerShell Remoting)
-  $PSRemotingRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowPSRemoting `
-  -Description "Allow management of domain through port 5986" `
+  $PSRemotingRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowPSRemoting -Description "Allow management of domain through port 5986" `
   -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 `
-  -SourceAddressPrefix 52.180.183.8, 23.101.0.70, 52.225.184.198, 52.179.126.223, `
-  13.74.249.156, 52.187.117.83, 52.161.13.95, 104.40.156.18, 104.40.87.209, `
-  52.180.179.108, 52.175.18.134, 52.138.68.41, 104.41.159.212, 52.169.218.0, `
-  52.187.120.237, 52.161.110.169, 52.174.189.149, 13.64.151.161 `
-  -SourcePortRange * -DestinationAddressPrefix * `
+  -SourceAddressPrefix 52.180.183.8, 23.101.0.70, 52.225.184.198, 52.179.126.223, 13.74.249.156, 52.187.117.83, 52.161.13.95, 104.40.156.18, 104.40.87.209, 52.180.179.108, 52.175.18.134, 52.138.68.41, 104.41.159.212, 52.169.218.0, 52.187.120.237, 52.161.110.169, 52.174.189.149, 13.64.151.161 -SourcePortRange * -DestinationAddressPrefix * `
   -DestinationPortRange 5986
 
+  #The following two rules are optional and needed only in certain situations.
+
   # Allow management of your domain over port 3389 (remote desktop).
-  $RemoteDesktopRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowRD `
-  -Description "Allow management of domain through port 3389" `
+  $RemoteDesktopRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowRD -Description "Allow management of domain through port 3389" `
   -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 `
-  -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
+  -SourceAddressPrefix 207.68.190.32/27, 13.106.78.32/27, 10.254.32.0/20, 10.97.136.0/22, 13.106.174.32/27, 13.106.4.96/27 -SourcePortRange * -DestinationAddressPrefix * `
   -DestinationPortRange 3389
 
-  # Create the NSG with the 3 rules above
-  $Nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $ResourceGroup -Location $Location `
-  -Name "AAD-DomainServices-NSG" -SecurityRules $SyncRule,$PSRemotingRule,$RemoteDesktopRule
+  # Secure LDAP rule, it is recommended to change the source address prefix to include only the IP addresses
+  $SecureLDAPRule = New-AzureRmNetworkSecurityRuleConfig -Name SecureLDAP -Description "Allow access through secure LDAP port" `
+  -Access Allow -Protocol Tcp -Direction Inbound -Priority 104 `
+  -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
+  -DestinationPortRange 636
+
+  # Create the NSG with the rules above (if you need the remote desktop rule and secure ldap rule, add it below)
+  $nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location westus `
+  -Name "AADDomainServices-NSG" -SecurityRules $SyncRule, $PSRemotingRule
   ```
 
 3. Lastly, associate the NSG with the vnet and subnet of choice.
@@ -124,33 +125,34 @@ $SubnetName = "exampleSubnet"
 Login-AzureRmAccount
 
 # Allow inbound HTTPS traffic to enable synchronization to your managed domain.
-$SyncRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowSyncWithAzureAD `
--Description "Allow synchronization with Azure AD" `
+$SyncRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowSyncWithAzureAD -Description "Allow synchronization with Azure AD" `
 -Access Allow -Protocol Tcp -Direction Inbound -Priority 101 `
 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
 -DestinationPortRange 443
 
 # Allow management of your domain over port 5986 (PowerShell Remoting)
-$PSRemotingRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowPSRemoting `
--Description "Allow management of domain through port 5986" `
+$PSRemotingRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowPSRemoting -Description "Allow management of domain through port 5986" `
 -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 `
--SourceAddressPrefix 52.180.183.8, 23.101.0.70, 52.225.184.198, 52.179.126.223, `
-13.74.249.156, 52.187.117.83, 52.161.13.95, 104.40.156.18, 104.40.87.209, `
-52.180.179.108, 52.175.18.134, 52.138.68.41, 104.41.159.212, 52.169.218.0, `
-52.187.120.237, 52.161.110.169, 52.174.189.149, 13.64.151.161 `
--SourcePortRange * -DestinationAddressPrefix * `
+-SourceAddressPrefix 52.180.183.8, 23.101.0.70, 52.225.184.198, 52.179.126.223, 13.74.249.156, 52.187.117.83, 52.161.13.95, 104.40.156.18, 104.40.87.209, 52.180.179.108, 52.175.18.134, 52.138.68.41, 104.41.159.212, 52.169.218.0, 52.187.120.237, 52.161.110.169, 52.174.189.149, 13.64.151.161 -SourcePortRange * -DestinationAddressPrefix * `
 -DestinationPortRange 5986
 
+#The following two rules are optional and needed only in certain situations.
+
 # Allow management of your domain over port 3389 (remote desktop).
-$RemoteDesktopRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowRD `
--Description "Allow management of domain through port 3389" `
+$RemoteDesktopRule = New-AzureRmNetworkSecurityRuleConfig -Name AllowRD -Description "Allow management of domain through port 3389" `
 -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 `
--SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
+-SourceAddressPrefix 207.68.190.32/27, 13.106.78.32/27, 10.254.32.0/20, 10.97.136.0/22, 13.106.174.32/27, 13.106.4.96/27 -SourcePortRange * -DestinationAddressPrefix * `
 -DestinationPortRange 3389
 
-# Create the NSG with the 3 rules above
-$Nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $ResourceGroup -Location $Location `
--Name "AAD-DomainServices-NSG" -SecurityRules $SyncRule,$PSRemotingRule,$RemoteDesktopRule
+# Secure LDAP rule, it is recommended to change the source address prefix to include only the IP addresses
+$SecureLDAPRule = New-AzureRmNetworkSecurityRuleConfig -Name SecureLDAP -Description "Allow access through secure LDAP port" `
+-Access Allow -Protocol Tcp -Direction Inbound -Priority 104 `
+-SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * `
+-DestinationPortRange 636
+
+# Create the NSG with the rules above (if you need the remote desktop rule and secure ldap rule, add it below)
+$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location westus `
+-Name "AADDomainServices-NSG" -SecurityRules $SyncRule, $PSRemotingRule
 
 # Find vnet and subnet
 $Vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $ResourceGroup -Name $VnetName
@@ -161,9 +163,6 @@ $Subnet.NetworkSecurityGroup = $Nsg
 Set-AzureRmVirtualNetwork -VirtualNetwork $Vnet
 ```
 
-> [!NOTE]
-> This default NSG does not lock down access to the port used for Secure LDAP. To lock down Secure LDAP access over the internet, see [this article](active-directory-ds-troubleshoot-ldaps.md).
->
 
 ## Need help?
 Contact the Azure Active Directory Domain Services product team to [share feedback or for support](active-directory-ds-contact-us.md).
diff --git a/...y-domain-services/media/active-directory-domain-services-alerts/default-nsg.PNG b/...y-domain-services/media/active-directory-domain-services-alerts/default-nsg.PNG
diff --git a/articles/active-directory/TOC.yml b/articles/active-directory/TOC.yml
@@ -51,15 +51,23 @@
       - name: Using Azure Resource Manager template
         href: msi-qs-configure-template-windows-vm.md  
       - name: Using Azure SDK
-        href: msi-qs-configure-sdk-windows-vm.md          
-    - name: Grant a VM MSI access to Resource Manager
+        href: msi-qs-configure-sdk-windows-vm.md
+    - name: Configure MSI for Azure VMSS
+      items:
+      - name: Using the Azure Portal
+        href: msi-qs-configure-portal-windows-vmss.md
+      - name: Using Azure CLI
+        href: msi-qs-configure-cli-windows-vmss.md
+      - name: Using Azure Resource Manager template
+        href: msi-qs-configure-template-windows-vmss.md
+    - name: Grant a VM or VMSS MSI access to Resource Manager
       items:
       - name: Using Azure portal
         href: msi-howto-assign-access-portal.md
       - name: Using PowerShell
         href: msi-howto-assign-access-powershell.md
       - name: Using Azure CLI
-        href: msi-howto-assign-access-cli.md 
+        href: msi-howto-assign-access-cli.md
     - name: How to use a VM MSI
       items:
       - name: Acquire an access token

diff --git a/...-howto-assign-access-vmss-portal/assign-access-control-vmss-iam-blade-after.png b/...-howto-assign-access-vmss-portal/assign-access-control-vmss-iam-blade-after.png
diff --git a/...howto-assign-access-vmss-portal/assign-access-control-vmss-iam-blade-before.png b/...howto-assign-access-vmss-portal/assign-access-control-vmss-iam-blade-before.png
diff --git a/...onfigure-portal-windows-vmss/create-windows-vmss-portal-configuration-blade.png b/...onfigure-portal-windows-vmss/create-windows-vmss-portal-configuration-blade.png
diff --git a/...nfigure-portal-windows-vmss/disable-windows-vmss-portal-configuration-blade.png b/...nfigure-portal-windows-vmss/disable-windows-vmss-portal-configuration-blade.png
diff --git a/...dia/msi-qs-configure-template-windows-vmss/msi-arm-template-file-after-vmss.png b/...dia/msi-qs-configure-template-windows-vmss/msi-arm-template-file-after-vmss.png
diff --git a/...ia/msi-qs-configure-template-windows-vmss/msi-arm-template-file-before-vmss.png b/...ia/msi-qs-configure-template-windows-vmss/msi-arm-template-file-before-vmss.png