Merge pull request #8425 from MicrosoftDocs/main

Auto push to live 2025-03-11 02:00:02

Author: Deland-Han

support/azure/virtual-machines/linux/serial-console-linux.md

@@ -12,7 +12,7 @@ ms.collection: linux
 ms.topic: article
 ms.tgt_pltfrm: vm-linux
 ms.workload: infrastructure-services
-ms.date: 02/10/2025
+ms.date: 03/11/2025
 ms.author: mbifeld
 ---
 
@@ -131,7 +131,7 @@ Serial Console uses the storage account configured for boot diagnostics in its c
    | UAE | UAE Central, UAE North | 20.38.141.5, 20.45.95.64, 20.45.95.65, 20.45.95.66, 20.203.93.198, 20.233.132.205, 40.120.87.50, 40.120.87.51 |
    | United Kingdom | UK South, UK West | 20.58.68.62, 20.58.68.63, 20.90.32.180, 20.90.132.144, 20.90.132.145, 51.104.30.169, 172.187.0.26, 172.187.65.53 |
    | United States | US Central, US East, US East 2, US East 2 EUAP, US North, US South, US West, US West 2, US West 3 | 4.149.249.197, 4.150.239.210, 20.14.127.175, 20.40.200.175, 20.45.242.18, 20.45.242.19, 20.45.242.20, 20.47.232.186, 20.51.21.252, 20.69.5.160, 20.69.5.161, 20.69.5.162, 20.83.222.100, 20.83.222.101, 20.83.222.102, 20.98.146.84, 20.98.146.85, 20.98.194.64, 20.98.194.65, 20.98.194.66, 20.168.188.34, 20.241.116.153, 52.159.214.194, 57.152.124.244, 68.220.123.194, 74.249.127.175, 74.249.142.218, 157.55.93.0, 168.61.232.59, 172.183.234.204, 172.191.219.35 |
-   | USGov | All US Government Cloud regions | 20.140.104.48, 20.140.105.3, 20.140.144.58, 20.140.144.59, 20.140.147.168, 20.140.53.121, 20.141.10.130, 20.141.10.131, 20.141.13.121, 20.141.15.104, 52.127.55.131, 52.235.252.252, 52.235.252.253, 52.243.247.124, 52.245.155.139, 52.245.156.185, 62.10.196.24, 62.10.196.25, 62.10.84.240, 62.11.6.64, 62.11.6.65 |
+   | USGov | All US Government Cloud regions | 20.140.104.48, 20.140.105.3, 20.140.144.58, 20.140.144.59, 20.140.147.168, 20.140.53.121, 20.141.10.130, 20.141.10.131, 20.141.13.121, 20.141.15.104, 52.127.55.131, 52.235.252.252, 52.235.252.253, 52.243.247.124, 52.245.155.139, 52.245.156.185, 62.10.84.240 |
 
    > [!IMPORTANT]
    > - The IPs that need to be permitted are specific to the region where the VM is located. For example, a virtual machine deployed in the North Europe region needs to add the following IP exclusions to the storage account firewall for the Europe geography: 52.146.139.220 and 20.105.209.72. View the table above to find the correct IPs for your region and geography.

support/azure/virtual-machines/windows/serial-console-windows.md

@@ -11,7 +11,7 @@ ms.collection: windows
 ms.topic: article
 ms.tgt_pltfrm: vm-windows
 ms.workload: infrastructure-services
-ms.date: 01/10/2025
+ms.date: 03/11/2025
 ms.author: mbifeld
 ms.custom: sap:VM Admin - Windows (Guest OS)
 ---
@@ -185,7 +185,7 @@ Serial Console uses the storage account configured for boot diagnostics in its c
    | UAE | UAE Central, UAE North | 20.38.141.5, 20.45.95.64, 20.45.95.65, 20.45.95.66, 20.203.93.198, 20.233.132.205, 40.120.87.50, 40.120.87.51 |
    | United Kingdom | UK South, UK West | 20.58.68.62, 20.58.68.63, 20.90.32.180, 20.90.132.144, 20.90.132.145, 51.104.30.169, 172.187.0.26, 172.187.65.53 |
    | United States | US Central, US East, US East 2, US East 2 EUAP, US North, US South, US West, US West 2, US West 3 | 4.149.249.197, 4.150.239.210, 20.14.127.175, 20.40.200.175, 20.45.242.18, 20.45.242.19, 20.45.242.20, 20.47.232.186, 20.51.21.252, 20.69.5.160, 20.69.5.161, 20.69.5.162, 20.83.222.100, 20.83.222.101, 20.83.222.102, 20.98.146.84, 20.98.146.85, 20.98.194.64, 20.98.194.65, 20.98.194.66, 20.168.188.34, 20.241.116.153, 52.159.214.194, 57.152.124.244, 68.220.123.194, 74.249.127.175, 74.249.142.218, 157.55.93.0, 168.61.232.59, 172.183.234.204, 172.191.219.35 |
-   | USGov | All US Government Cloud regions | 20.140.104.48, 20.140.105.3, 20.140.144.58, 20.140.144.59, 20.140.147.168, 20.140.53.121, 20.141.10.130, 20.141.10.131, 20.141.13.121, 20.141.15.104, 52.127.55.131, 52.235.252.252, 52.235.252.253, 52.243.247.124, 52.245.155.139, 52.245.156.185, 62.10.196.24, 62.10.196.25, 62.10.84.240, 62.11.6.64, 62.11.6.65 |
+   | USGov | All US Government Cloud regions | 20.140.104.48, 20.140.105.3, 20.140.144.58, 20.140.144.59, 20.140.147.168, 20.140.53.121, 20.141.10.130, 20.141.10.131, 20.141.13.121, 20.141.15.104, 52.127.55.131, 52.235.252.252, 52.235.252.253, 52.243.247.124, 52.245.155.139, 52.245.156.185, 62.10.84.240 |
 
    > [!IMPORTANT]
    > - The IPs that need to be permitted are specific to the region where the VM is located. For example, a virtual machine deployed in the North Europe region needs to add the following IP exclusions to the storage account firewall for the Europe geography: 52.146.139.220 and 20.105.209.72. View the table above to find the correct IPs for your region and geography.

support/entra/entra-id/app-integration/error-code-aadsts50173-grant-expired-revoked.md

@@ -45,10 +45,10 @@ On the application that experiences the issues, try to locate an option to reaut
 
 If the application is using [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview), follow [this guidance to handle errors and exceptions in MSAL](/entra/msal/dotnet/advanced/exceptions/msal-error-handling).
 
-If the application isn't using [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview), follow this guidance to [handle errors and exceptions in MSAL](/entra/msal/dotnet/advanced/exceptions/msal-error-handling), and try to implement a similar approach on the application. The goal is to request that the user reauthenticate and obtain a fresh token.
+If the application isn't using MSAL, follow this guidance to [handle errors and exceptions in MSAL](/entra/msal/dotnet/advanced/exceptions/msal-error-handling), and try to implement a similar approach on the application. The goal is to request that the user reauthenticate and obtain a fresh token.
 
 ## More information
 
 For a full list of authentication and authorization error codes, see [Microsoft Entra authentication and authorization error codes](/entra/identity-platform/reference-error-codes). 
 
-To investigate individual errors, go to [https://login.microsoftonline.com/error](https://login.microsoftonline.com/error).
+To investigate individual errors, go to [https://login.microsoftonline.com/error](https://login.microsoftonline.com/error).

support/sql/database-engine/availability-groups/troubleshooting-recovery-queuing-in-alwayson-availability-group.md

@@ -1,12 +1,12 @@
 ---
-title: Troubleshooting recovery queueing in an Always On availability group
+title: Troubleshooting recovery (redo) queueing in an Always On availability group
 description: This article helps you to troubleshoot problems that are related to recovery queueing in an Always On availability group. 
-ms.date: 02/10/2023
+ms.date: 03/11/2025
 ms.custom: sap:Always On Availability Groups (AG)
-ms.reviewer: ramakoni, v-jayaramanp
+ms.reviewer: ramakoni, v-jayaramanp, jopilov
 ---
 
-# Troubleshooting recovery queueing in an Always On availability group
+# Troubleshooting recovery (redo) queueing in an Always On availability group
 
 This article provides resolutions to problems related to recovery queueing.
 
@@ -28,7 +28,7 @@ For more information, see the [Data latency on secondary replica](/sql/database-
 
 ### Failover time is longer or RTO is exceeded
 
-Recovery Time Objective (RTO) is the maximum database downtime that an organization can handle. RTO also describes how quickly the organization can regain access to the database after an outage. If substantial recovery queueing is present on a secondary replica when a failover occurs, recovery may take longer. After recovery, the database will transition to the primary role and represent the state of the database that existed before the failover. A longer recovery time can delay how quickly production resumes after a failover.
+Recovery Time Objective (RTO) is the maximum database downtime that an organization can handle. RTO also describes how quickly the organization can regain access to the database after an outage. If substantial recovery queueing is present on a secondary replica when a failover occurs, recovery might take longer than the RTO. After recovery, the database will transition to the primary role and represent the state of the database that existed before the failover. A longer recovery time can delay how quickly production resumes after a failover.
 
 ### Various diagnostic features report availability group recovery queueing
 

support/sql/database-engine/connect/sql-server-faces-connectivity-issue-ssispack-fail.md

@@ -1,20 +1,20 @@
 ---
-title: Error 0x80004005 occurs when SSIS packages fail to run
+title: Error 0x80004005 When an SSIS Package Fails to Run as a SQL Agent Job
 description: This article helps you resolve the 0x80004005 error that might arise when you try to run SSIS packages by using the SQL Server Agent.
-ms.date: 04/18/2024
+ms.date: 03/11/2025
 author: prmadhes-msft
 ms.author: prmadhes
 ms.reviewer: jopilov, haiyingyu, v-jayaramanp
 ms.custom: sap:Database Connectivity and Authentication
 ---
 
-# Connectivity error 0x80004005 occurs from SQL Sever Agent SSIS failures
+# Connectivity error 0x80004005 occurs when you run an SSIS package as a SQL Agent job
 
-This article provides a resolution to a connectivity issue in which SQL Server Integration Services (SSIS) packages that use an SQL Agent fail to run.
+This article provides a solution to a connectivity issue in which SQL Server Integration Services (SSIS) packages that use SQL Server Agent fail to run.
 
 ## Symptoms
 
-When you try to run SSIS packages that use an SQL agent, the packages don't run, and you receive the following error messages:
+When you try to run an SSIS package as a SQL Server Agent job, the package doesn't run, and you receive the following error messages:
 
 > An OLE DB record is available. Source "Microsoft OLE DB Driver for SQL Server" Hresult. 0x80004005 Description "Protocol error in TDS stream".
 

support/sql/database-engine/development/iterate-through-result-set.md

@@ -1,22 +1,22 @@
 ---
-title: Iterate through a result set by using Transact-SQL
-description: This article describes various methods that you can use to iterate through a result set by using Transact-SQL in SQL Server.
-ms.date: 07/26/2024
+title: Iterate through a SQL Server result set in T-SQL without a cursor
+description: This article describes methods to iterate through a SQL Server result set in Transact-SQL without a cursor.
+ms.date: 03/11/2025
 ms.custom: sap:Database or Client application Development
 ms.reviewer: jopilov
 ms.topic: how-to
 ---
 
-# Iterate through a result set by using Transact-SQL in SQL Server
+# Iterate through a SQL Server result set in T-SQL without using a cursor 
 
-This article describes various methods that you can use to iterate through a result set by using Transact-SQL in SQL Server.
+This article describes methods that you can use to iterate through a result set by using Transact-SQL in SQL Server.
 
 _Original product version:_   SQL Server  
 _Original KB number:_   111401
 
 ## Summary
 
-This article describes various methods that you can use to simulate a cursor-like `FETCH`-`NEXT` logic in a stored procedure, trigger, or Transact-SQL batch.
+This article describes methods that you can use to simulate a cursor-like `FETCH`-`NEXT` logic in a stored procedure, trigger, or Transact-SQL batch.
 
 ## Use Transact-SQL Statements to Iterate Through a Result Set
 

support/sql/releases/linux/release-history-2017.md

@@ -71,7 +71,7 @@ The following table lists the release history for [!INCLUDE [sql-server-2017](..
 
 ## <a id="AzureConnectFeaturePack"></a> Azure Connect Pack (March 2025)
 
-This is the Azure Connect Pack for [!INCLUDE [sql-server-2017](../../includes/versions/sql-server-2017.md)]. The [!INCLUDE [sql-server-database-engine](../../includes/versions/sql-server-database-engine.md)] version for this release is 14.0.3490.10. For information about the fixes and improvements in this release, see the [Support article](https://learn.microsoft.com/troubleshoot/sql/releases/sqlserver-2017/azureconnect).
+This is the Azure Connect Pack for [!INCLUDE [sql-server-2017](../../includes/versions/sql-server-2017.md)]. The [!INCLUDE [sql-server-database-engine](../../includes/versions/sql-server-database-engine.md)] version for this release is 14.0.3490.10. For information about the fixes and improvements in this release, see the [Support article](../sqlserver-2017/azureconnect.md).
 
 > [!IMPORTANT]  
 > This is the Azure Connect Pack, which includes CU 31 for [!INCLUDE [sql-server-2017](../../includes/versions/sql-server-2017.md)].

support/windows-server/active-directory/accounts-lastlogontimestamp-future-time.md

@@ -0,0 +1,111 @@
+---
+title: Accounts Have the LastLogonTimestamp Value Set to Future
+description: Helps resolve an issue in which user or computer accounts have the lastLogonTimestamp value set to a future time.
+ms.date: 03/11/2025
+manager: dcscontentpm
+audience: itpro
+ms.topic: troubleshooting
+ms.reviewer: kaushika, herbertm, v-lianna
+ms.custom:
+- sap:active directory\user,computer,group,and object management
+- pcy:WinComm Directory Services
+---
+# User or computer accounts have the lastLogonTimestamp value set to a future time
+
+This article helps resolve an issue in which user or computer accounts have the lastLogonTimestamp value set to a future time.
+
+You have an Active Directory (AD) domain and use AD queries to look for unused accounts. You query attributes like `pwdLastSet` and `lastLogonTimestamp` to determine which accounts are no longer used.
+
+Although using `lastLogonTimestamp` has its limitations due to Kerberos S4U updating the attribute, you notice that some actively used accounts have the `lastLogonTimestamp` value set to a future time.
+
+## Incorrect time on the local DC
+
+A domain controller (DC) might run with its system time set in the future. In this situation, if a user authenticates with the DC, the DC compares its local time with the time stored in the user account. Then, the DC updates the `lastLogonTimestamp` value as its current time is much more recent.
+
+The time on the DC might be incorrect due to a time synchronization issue with the virtual machine (VM) host, the Network Time Protocol (NTP) infrastructure, or [Secure Time Seeding (STS)](https://techcommunity.microsoft.com/blog/askds/secure-time-seeding-on-dcs-a-note-from-the-field/4238810). The DC might also revert to the correct time quickly, so you might not catch the problem in your reporting.
+
+As NTP prevents large time offsets between DCs from being distributed across the domain, incorrect timestamps might be kept local to a single DC. However, domain members follow their local DC's time, even when the DC detects a time skew during Kerberos requests. This is why Kerberos transactions still work in this situation.
+
+## Use the fixupObjectState attribute with LDIFDE to repair the object
+
+For previous versions of Windows, the approaches to resolve the issue are to:
+
+- Wait until the actual time surpasses the `lastLogonTimestamp` value of the user.
+- Ignore the `lastLogonTimestamp` value and use other metrics to identify orphaned accounts.
+- Delete the affected accounts and create new ones.
+
+In Windows Server 2025, there's a new facility to repair broken objects as specified in [[MS-ADTS]: fixupObjectState](/openspecs/windows_protocols/ms-adts/37294765-9e7d-41a1-aded-2d6f744eee8c).
+
+> [!NOTE]
+> There's functionality to correct missing `sAMAccountType` and `objectCategory` attributes. For more information, see [Can't edit or delete an AD object and receive the error "attribute is owned by the Security Accounts Manager (SAM)" or "The specified account does not exist"](cannot-edit-delete-ad-object-error-sam.md).
+
+### Step 1: Identify the object name and globally unique identifier (GUID)
+
+For example:
+
+- Distinguished name (DN): `cn=brokenuser,ou=bad-users,dc=contoso,dc=com`
+- GUID: `cf2b4aca-0e67-47d9-98aa-30a5fe30dc36`
+
+### Step 2: Prepare an LDIFDE import file using the DN string or GUID-based syntax
+
+- Use the DN string:
+
+    ```output
+    DN:
+    Changetype:modify
+    add: fixupObjectState
+    fixupObjectState: cn=brokenuser,ou=bad-users,dc=contoso,dc=com:LastLogonTimestamp
+    -
+    ```
+
+    > [!NOTE]
+    > The line with only a hyphen (`-`) and the empty line are required for a well-formed LDIFDE import file.
+
+- Use the GUID-based syntax:
+
+    If your object name contains special characters, use Unicode for the LDIFDE import file, or use the GUID-based syntax.
+
+    An object name can also be expressed as `<guid=cf2b4aca-0e67-47d9-98aa-30a5fe30dc36>` in the GUID-based syntax.
+
+    So, the expression of `fixupObjectState: cn=brokenuser,ou=bad-users,dc=contoso,dc=com:LastLogonTimestamp` becomes `fixupObjectState: <guid=cf2b4aca-0e67-47d9-98aa-30a5fe30dc36>:LastLogonTimestamp`.
+
+    To use this syntax with the LDIFDE import file, you need to encode the text after the first colon in Base64 format because of the  greater-than (>) and less-than (<) signs:
+
+    ```output
+    fixupObjectState:: PGd1aWQ9Y2YyYjRhY2EtMGU2Ny00N2Q5LTk4YWEtMzBhNWZlMzBkYzM2PjpMYXN0TG9nb25UaW1lc3RhbXA=
+    ```
+
+    > [!NOTE]
+    > The double colon shows the attribute value is in Base64 format. You can use the [Base64 encoder](https://www.bing.com/search?q=site%3Amicrosoft.com%20base64%20encoder&qs=n&form=QBRE&sp=-1&lq=0&pq=site%3Amicrosoft.com%20base64%20encoder&sc=0-33&sk=&cvid=CE994D44ADFC432CA2D3784CEBB3D934&ghsh=0&ghacc=0&ghpl=) to encode the string directly on the web.
+
+    After using the Base64 format, the import file becomes:
+
+    ```output
+    DN:
+    Changetype:modify
+    add: fixupObjectState
+    fixupObjectState:: PGd1aWQ9Y2YyYjRhY2EtMGU2Ny00N2Q5LTk4YWEtMzBhNWZlMzBkYzM2PjpMYXN0TG9nb25UaW1lc3RhbXA=
+    -
+    ```
+
+### Step 3: Repair the object using LDIFDE
+
+Sign in as an Enterprise Administrator, and import the LDIFDE import file (for example, **repair-user.txt**) with the following command:
+
+```console
+ldifde /i /f repair-user.txt
+Connecting to "<DC name>"
+Logging in as current user using SSPI
+Importing directory from file " repair-user.txt"
+Loading entries...
+1 entry modified successfully.
+```
+
+Then, the object has the `lastLogonTimestamp` attribute value set to the current time.
+
+## References
+
+For more information about the usage of the `lastLogonTimestamp` attribute, see:
+
+- ["The LastLogonTimeStamp Attribute" - "What it was designed for and how it works"](/archive/blogs/askds/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works)
+- [How LastLogonTimeStamp is Updated with Kerberos S4u2Self](https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/257135)