fix conflict

articles/active-directory-b2c/active-directory-b2c-devquickstarts-android.md

@@ -13,7 +13,7 @@
 	ms.tgt_pltfrm="mobile-android"
 	ms.devlang="java"
 	ms.topic="article"
-	ms.date="09/22/2015"
+	ms.date="11/19/2015"
 	ms.author="brandwe"/>
 
 # Azure AD B2C Preview: Calling a Web API from an Android application
@@ -132,9 +132,9 @@ repositories {
 }
 dependencies {
     compile fileTree(dir: 'libs', include: ['*.jar'])
-    compile('com.microsoft.aad:adal:2.0-alpha') {
+    compile('com.microsoft.aad:adal:2.0.1-alpha') {
         exclude group: 'com.android.support'
-    } // Recent version is 2.0-alpha
+    } // Recent version is 2.0.1-alpha
 }
 ```
 
@@ -146,7 +146,7 @@ If you are using the m2e plugin in Eclipse, you can specify the dependency in yo
 <dependency>
     <groupId>com.microsoft.aad</groupId>
     <artifactId>adal</artifactId>
-    <version>2.0-alpha</version>
+    <version>2.0.1-alpha</version>
     <type>aar</type>
 </dependency>
 ```

articles/active-directory-b2c/active-directory-b2c-devquickstarts-api-node.md

@@ -261,14 +261,16 @@ Create a `server.js` file in our favorite editor and add the following informati
 /**
 * Module dependencies.
 */
+var fs = require('fs');
+var path = require('path');
 var util = require('util');
 var assert = require('assert-plus');
 var mongoose = require('mongoose/');
 var bunyan = require('bunyan');
 var restify = require('restify');
 var config = require('./config');
 var passport = require('passport');
-var OIDCBearerStrategy = require('passport-azure-ad').BearerStategy;
+var OIDCBearerStrategy = require('passport-azure-ad').BearerStrategy;
 ```
 
 Save the file. We will return to it shortly.
@@ -289,7 +291,7 @@ Create a `config.js` file in our favorite editor and add the following informati
 exports.creds = {
 mongoose_auth_local: 'mongodb://localhost/tasklist', // Your mongo auth uri goes here
 audience: '<your audience URI>',
-identityMetadata: 'https://login.microsoftonline.com/common/.well-known/openid-configuration' // For using Microsoft you should never need to change this.
+identityMetadata: 'https://login.microsoftonline.com/common/.well-known/openid-configuration', // For using Microsoft you should never need to change this.
 tenantName:'<tenant name>',
 policyName:'b2c_1_<sign in policy name>',
 };
@@ -712,7 +714,7 @@ Date: Tue, 14 Jul 2015 05:43:38 GMT
 
 Then, we can add a task this way:
 
-`$ curl -isS -X POST http://127.0.0.1:8888/tasks/brandon/Hello`
+`$ curl -isS -X POST http://127.0.0.1:8080/tasks/brandon/Hello`
 
 The response should be:
 
@@ -850,7 +852,7 @@ next();
 });
 ```
 
-## 18: Run your server application again and ensure it rejects you
+## 20: Run your server application again and ensure it rejects you
 
 Let's use `curl` again to see if we now have OAuth2 protection against our endpoints. We will do this before runnning any of our client SDKs against this endpoint. The headers returned should be enough to tell us we are down the right path.
 

articles/active-directory-b2c/active-directory-b2c-devquickstarts-ios.md

@@ -100,14 +100,13 @@ In order for the iOS Task app to communicate with Azure AD B2C, there are a few
 	<key>authority</key>
 	<string>https://login.microsoftonline.com/<your tenant name>.onmicrosoft.com/</string>
 	<key>clientId</key>
-	<string><Enter the Application Id assinged to your app by the Azure portal, e.g.580e250c-8f26-49d0-bee8-1c078add1609></string>
+	<string><Enter the Application Id assigned to your app by the Azure portal, e.g.580e250c-8f26-49d0-bee8-1c078add1609></string>
 	<key>scopes</key>
 	<array>
-		<string><Enter the Application Id assinged to your app by the Azure portal, e.g.580e250c-8f26-49d0-bee8-1c078add1609></string>
+		<string><Enter the Application Id assigned to your app by the Azure portal, e.g.580e250c-8f26-49d0-bee8-1c078add1609></string>
 	</array>
 	<key>additionalScopes</key>
 	<array>
-		<string></string>
 	</array>
 	<key>redirectUri</key>
 	<string>urn:ietf:wg:oauth:2.0:oob</string>
@@ -254,9 +253,7 @@ completionBlock:(void (^) (ADProfileInfo* userInfo, NSError* error)) completionB
         [self readApplicationSettings];
     }
     
-    NSDictionary* params = [self convertPolicyToDictionary:policy];
-    
-    [self getClaimsWithPolicyClearingCache:NO policy:policy params:params parent:parent completionHandler:^(ADProfileInfo* userInfo, NSError* error) {
+    [self getClaimsWithPolicyClearingCache:NO policy:policy params:nil parent:parent completionHandler:^(ADProfileInfo* userInfo, NSError* error) {
         
         if (userInfo == nil)
         {
@@ -277,42 +274,8 @@ completionBlock:(void (^) (ADProfileInfo* userInfo, NSError* error)) completionB
 You see that the the method is pretty simple. It takes as an input the `samplesPolicyData` object we created a few moments ago, the parent ViewController, and then a callback. The call back is interesting and we'll walk through it.
 
 1. You'll see that the `completionBlock` has ADProfileInfo as a type that will get returned with a `userInfo` object. ADProfileInfo is the type that holds all the response from the server, in particular claims. 
-
 2. You'll see that we `readApplicationSettings`. This reads the data that we've provided in the `settings.plist`
-3. You'll see that we have a method `convertPolicyToDictionary:policy` which takes our policy and formats it as a URL to send to the server. We'll write this helper method next.
-4. Finally, we have a rather large `getClaimsWithPolicyClearingCache` method. This is the actual call to ADAL for iOS we need to write. We'll do that later.
-
-
-Next, we'll write that `convertPolicyToDictionary` method below the code we've just written:
-
-```
-// Here we have some converstion helpers that allow us to parse passed items in to dictionaries for URLEncoding later.
-
-+(NSDictionary*) convertTaskToDictionary:(samplesTaskItem*)task
-{
-    NSMutableDictionary* dictionary = [[NSMutableDictionary alloc]init];
-    
-    if (task.itemName){
-        [dictionary setValue:task.itemName forKey:@"task"];
-    }
-    
-    return dictionary;
-}
-
-+(NSDictionary*) convertPolicyToDictionary:(samplesPolicyData*)policy
-{
-    NSMutableDictionary* dictionary = [[NSMutableDictionary alloc]init];
-
-    
-    if (policy.policyID){
-        [dictionary setValue:policy.policyID forKey:@"p"];
-    }
-    
-    return dictionary;
-}
-
-```
-This rather simple code simply appends a p to our policy such that the look of the query should be ?p=<policy>. 
+3. Finally, we have a rather large `getClaimsWithPolicyClearingCache` method. This is the actual call to ADAL for iOS we need to write. We'll do that later.
 
 Now let's write our large method `getClaimsWithPolicyClearingCache`. This is large enough to merit it's own section
 

articles/active-directory/active-directory-aadconnect-connected-directories.md

@@ -3,7 +3,7 @@
 	description="Custom settings description of Azure AD Connect connected directories."
 	services="active-directory"
 	documentationCenter=""
-	authors="billmath"
+	authors="andkjell"
 	manager="stevenpo"
 	editor="curtand"/>
 
@@ -14,7 +14,7 @@
 	ms.devlang="na"
 	ms.topic="article"
 	ms.date="10/13/2015"
-	ms.author="billmath"/>
+	ms.author="billmath;andkjell"/>
 
 
 

articles/active-directory/active-directory-aadconnect-connected-whyglobaladmin.md

@@ -3,7 +3,7 @@
 	description="Custom settings description of why we require a global admin account."
 	services="active-directory"
 	documentationCenter=""
-	authors="billmath"
+	authors="andkjell"
 	manager="stevenpo"
 	editor="curtand"/>
 
@@ -14,7 +14,7 @@
 	ms.devlang="na"
 	ms.topic="article"
 	ms.date="10/13/2015"
-	ms.author="billmath"/>
+	ms.author="billmath;andkjell"/>
 
 # Why we require an Azure AD global administrator account for setting up Azure AD Connect
 

articles/active-directory/active-directory-aadconnect-faq.md

@@ -13,7 +13,7 @@
 	ms.tgt_pltfrm="na"
 	ms.devlang="na"
 	ms.topic="article"
-	ms.date="11/10/2015"
+	ms.date="11/16/2015"
 	ms.author="billmath"/>
 
 # Azure Active Directory Connect FAQ
@@ -27,9 +27,9 @@ Installation will not work in this case. The Global Admin installing Azure AD Co
 
 It is only supported to install Azure AD Connect using the installation wizard. An unattended and silent installation is not supported.
 
-## Express installation
+**Q: I have a forest where one domain cannot be contacted. How do I install Azure AD Connect?**
 
-## Custom installation
+We have heard this feedback and will support this in a future release.
 
 ## Network
 **Q: I have a firewall, network device, or something else that limits the maximum time connections can stay open on my network. How long should my client side timeout threshold be when using Azure AD Connect?**
@@ -40,6 +40,39 @@ All networking software, physical devices, or anything else that limits the maxi
 
 Use the guidance that is outlined in the article here to resolve to [here](active-directory-aadconnect-o365-certs.md) renew the certificate.
 
+**Q: Are SLDs (Single Label Domains) supported?**
+
+No, Azure AD Connect does not support on-premises forests/domains using SLDs.
+
+**Q: Are "dotted" NetBios named supported?**
+
+No, Azure AD Connect does not support on-premises forests/domains where the NetBios name contains a period "." in the name.
+
+## Environment
+
+**Q: Is it supported to rename the server after Azure AD Connect has been installed?**
+
+No. Changing the server name will cause the sync engine to not be able to connect to the SQL database and the service will not be able to start.
+
+## Identity data
+
+**Q: The UPN (userPrincipalName) attribute in Azure AD does not match the on-prem UPN - why?**
+
+See these articles:
+
+- [User names in Office 365, Azure, or Intune don't match the on-premises UPN or alternate login ID](https://support.microsoft.com/en-us/kb/2523192)
+- [Changes aren't synced by the Azure Active Directory Sync tool after you change the UPN of a user account to use a different federated domain](https://support.microsoft.com/en-us/kb/2669550)
+
+## Custom configuration
+
+**Q: Where are the PowerShell cmdlets for Azure AD Connect documented?**
+
+With the exception of the cmdlets documented on this site, other PowerShell cmdlets found in Azure AD Connect are not supported for customer use.
+
+**Q: Can I use "Server export/server import" found in service manager to move configuration between servers?**
+
+No. This option will not retrieve all configuration settings and should not be used. You should instead use the wizard to create the base configuration on the second server and use the sync rule editor to generate PowerShell scripts to move any custom rule between servers.
+
 ## Troubleshooting
 
 **Q: How can I get help with Azure AD Connect?**

articles/active-directory/active-directory-aadconnect-get-started-custom-device-writeback.md

@@ -13,8 +13,8 @@
 	ms.tgt_pltfrm="na"
 	ms.devlang="na"
 	ms.topic="article"
-	ms.date="09/15/2015"
-	ms.author="billmath"/>
+	ms.date="11/12/2015"
+	ms.author="billmath;andkjell"/>
 
 # Enabling device writeback in Azure AD Connect
 
@@ -24,62 +24,52 @@ Enable conditional access based on devices to ADFS (2012 R2 or higher) protected
 
 This provides additional security and assurance that access to applications is granted only to trusted devices. For more information on conditional access, see [Managing Risk with Conditional Access](active-directory-conditional-access.md) and [Setting up On-premises Conditional Access using Azure Active Directory Device Registration](https://msdn.microsoft.com/library/azure/dn788908.aspx).
 
->[AZURE.Note] A subscription to Office 365 or Azure AD Premium is required when using devices registered in Azure Active Directory Device Registration service conditional access policies. This includes policies enforced by Active Directory Federation Services (AD FS) to on-premises resources.
+>[AZURE.NOTE] A subscription to Azure AD Premium is required for device writeback.
 
-## Part 1: Prepare Azure AD Connect
+
+## Part 1: Install Azure AD Connect
+1. Install Azure AD Connect using Custom or Express settings. The recommendation is to start with having all users and groups successfully synchronized before you enable device writeback.
+
+## Part 2: Prepare Active Directory
 Use the following steps to prepare for using device writeback.
 
 1.	From the machine where Azure AD Connect is installed, launch PowerShell in elevated mode.
 
 2.	If the Active Directory PowerShell module is NOT installed. Install it using the following command:
 
-	Install-WindowsFeature –Name AD-DOMAIN-Services –IncludeManagementTools
+	`Install-WindowsFeature –Name AD-DOMAIN-Services –IncludeManagementTools`
 
 3.	With enterprise admin credentials, run the following commands and then exit PowerShell.
 
-	Import-Module ‘C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncAdPrep.psm1’
-
-	Initialize-ADSyncDeviceWriteback –DomainName <name> -AdConnectorAccount <account>
-
-Description:
-
-
-
-- If not existent, it creates and configures new containers and objects under CN=Device Registration Configuration,CN=Services,CN=Configureation,<forest-dn>.
+	`Import-Module 'C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1'`
 
+	`Initialize-ADSyncDeviceWriteback {Optional:–DomainName [name] Optional:-AdConnectorAccount [account]}`
 
 
-- If not existent, it creates and configures new containers and objects under CN=RegisteredDevices,<domain-dn>. Device objects will be created in this container.
-
+![Powershell](./media/active-directory-aadconnect-get-started-custom-device-writeback/powershell.png)
 
+Description:
 
+- If not existent, it creates and configures new containers and objects under CN=Device Registration Configuration,CN=Services,CN=Configuration,[forest-dn].
+- If not existent, it creates and configures new containers and objects under CN=RegisteredDevices,[domain-dn]. Device objects will be created in this container.
 - Sets necessary permissions on the Azure AD Connector account, to manage devices on your Active Directory.
-
-
-
 - Only needs to run on one forest, even if Azure AD Connect is being installed on multiple forests.
 
 Parameters:
 
-
 - DomainName: Active Directory Domain where device objects will be created. Note: All devices for a given Active Directory forest will be created in a single domain.
+- AdConnectorAccount: Active Directory account that will be used by Azure AD Connect to manage objects in the directory. This is the account used by Azure AD Connect sync to connect to AD. If you installed using express settings, it is the account prefixed with MSOL_.
 
-
-- AdConnectorAccount: Active Directory account that will be used by Azure AD Connect to manage objects in the directory.
-
-## Part 2: Enable device writeback
+## Part 3: Enable device writeback in Azure AD Connect
 Use the following procedure to enable device writeback in Azure AD Connect.
 
-1.	Run AAD Connect Wizard. If this is the first time using the wizard, perform a custom install by selecting Customize from the Express Settings screen
-![Custom Install](./media/active-directory-aadconnect-get-started-custom-device-writeback/devicewriteback1.png)
-2.	If this is not the first time, select customize synchronization options from the Additional Tasks page and click Next.
+1.	Run the installation wizard again. Select **customize synchronization options** from the Additional Tasks page and click **Next**.
 ![Custom Install](./media/active-directory-aadconnect-get-started-custom-device-writeback/devicewriteback2.png)
-3.	In the Optional Features page, device writeback will no longer be grayed out. Please note that if the Azure AD Connect prep steps are not completed device writeback will be grayed out in the Optional features page. Check the box for device writeback and click next.
+2.	In the Optional Features page, device writeback will no longer be grayed out. Please note that if the Azure AD Connect prep steps are not completed device writeback will be grayed out in the Optional features page. Check the box for device writeback and click **next**. If the checkbox is still disabled, see the [troubleshooting section](#the-writeback-checkbox-is-still-disabled).
 ![Device Writeback](./media/active-directory-aadconnect-get-started-custom-device-writeback/devicewriteback3.png)
-4.	On the writeback page, you will see the supplied domain as the default Device writeback forest.
+3.	On the writeback page, you will see the supplied domain as the default Device writeback forest.
 ![Custom Install](./media/active-directory-aadconnect-get-started-custom-device-writeback/devicewriteback4.png)
-5.	Complete the installation of the Wizard with no additional configuration changes. If needed, refer to [Custom installation of Azure AD Connect.](active-directory-aadconnect-get-started-custom.md)
-
+4.	Complete the installation of the Wizard with no additional configuration changes. If needed, refer to [Custom installation of Azure AD Connect.](active-directory-aadconnect-get-started-custom.md)
 
 
 ## Enable conditional access
@@ -95,6 +85,46 @@ Device writeback should now be working properly. Be aware that it can take up to
 
 ![Custom Install](./media/active-directory-aadconnect-get-started-custom-device-writeback/devicewriteback6.png)
 
+## Troubleshooting
+
+### The writeback checkbox is still disabled
+If the checkbox for device writeback is not enabled even though you have followed the steps above, the following steps will guide you through what the installation wizard is verifying before the box is enabled.
+
+First things first:
+
+- Make sure at least one forest has Windows Server 2012R2. The device object type must be present.
+- If the installation wizard is already running, then any changes will not be detected. In this case, complete the installation wizard and run it again.
+- Make sure the account you provide in the initialization script is actually the correct user used by the Active Directory Connector. To verify this, follow these steps:
+	- From the start menu, open **Synchronization Service**.
+	- Open the **Connectors** tab.
+	- Find the Connector with type Active Directory Domain Services and select it.
+	- Under **Actions**, select **Properties**.
+	- Go to **Connect to Active Directory Forest**. Verify that the domain and user name specified on this screen match the account provided to the script.
+![Connector account](./media/active-directory-aadconnect-get-started-custom-device-writeback/connectoraccount.png)
+
+Verify configuration in Active Directory:
+- Verify that the Device Registration Service is located in the location below (CN=DeviceRegistrationService,CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration) under configuration naming context.
+
+![Troubleshoot1](./media/active-directory-aadconnect-get-started-custom-device-writeback/troubleshoot1.png)
+
+- Verify there is only one configuration object by searching the configuration namespace. If there is more than one, delete the duplicate.
+
+![Troubleshoot2](./media/active-directory-aadconnect-get-started-custom-device-writeback/troubleshoot2.png)
+
+- On the Device Registration Service object, make sure the attribute msDS-DeviceLocation is present and has a value. Lookup this location and make sure it is present with the objectType msDS-DeviceContainer.
+
+![Troubleshoot3](./media/active-directory-aadconnect-get-started-custom-device-writeback/troubleshoot3.png)
+
+![Troubleshoot4](./media/active-directory-aadconnect-get-started-custom-device-writeback/troubleshoot4.png)
+
+- Verify the account used by the Active Directory Connector has required permissions on the Registered Devices container found by the previous step. This is the expected permissions on this container:
+
+![Troubleshoot5](./media/active-directory-aadconnect-get-started-custom-device-writeback/troubleshoot5.png)
+
+- Verify the Active Directory account has permissions on the CN=Device Registration Configuration,CN=Services,CN=Configuration object.
+
+![Troubleshoot6](./media/active-directory-aadconnect-get-started-custom-device-writeback/troubleshoot6.png)
+
 ## Additional Information
 - [Managing Risk With Conditional Access](active-directory-conditional-access.md)
 - [Setting up On-premises Conditional Access using Azure Active Directory Device Registration](https://msdn.microsoft.com/library/azure/dn788908.aspx)