Merge pull request #6707 from MicrosoftDocs/FromPublicRepo

Confirm merge from FromPublicRepo to master to sync with https://github.com/MicrosoftDocs/sql-docs (branch live)

Author: huypub

docs/linux/sql-server-linux-active-directory-authentication.md

@@ -200,6 +200,9 @@ For more information, see the Red Hat documentation for [Discovering and Joining
    kvno MSSQLSvc/**<fully qualified domain name of host machine>**:**<tcp port>**
    ```
 
+   > [!NOTE]
+   > SPNs can take several minutes to propagate through your domain, especially if the domain is large. If you receive the error, "kvno: Server not found in Kerberos database while getting credentials for MSSQLSvc/\*\*\<fully qualified domain name of host machine\>\*\*:\*\*\<tcp port\>\*\*\@CONTOSO.COM", please wait a few minutes and try again.
+
 2. Create a keytab file with **[ktutil](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html)** for the AD user you created in the previous step. When prompted, enter the password for that AD account.
 
    ```bash
@@ -217,20 +220,56 @@ For more information, see the Red Hat documentation for [Discovering and Joining
    > [!NOTE]
    > The ktutil tool does not validate the password, so make sure you enter it correctly.
 
-3. Anyone with access to this `keytab` file can impersonate [!INCLUDE[ssNoVersion](../includes/ssnoversion-md.md)] on the domain, so make sure you restrict access to the file such that only the `mssql` account has read access:
+3. Add the machine account to your keytab with **[ktutil](https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/ktutil.html)**. The machine account (also called a UPN) is present in `/etc/krb5.keytab` in the form "\<hostname\>$\@\<realm.com\>" (e.g. sqlhost$\@CONTOSO.COM). We will copy these entries from `/etc/krb5.keytab` to `mssql.keytab`.
+
+   ```bash
+   sudo ktutil
+
+   # Read all entries from /etc/krb5.keytab
+   ktutil: rkt /etc/krb5.keytab
+
+   # List all entries
+   ktutil: list
+
+   # Delete all entries by their slot number which are not the UPN one at a
+   # time.
+   # Warning: when an entry is deleted (e.g. slot 1), all values slide up by
+   # one to take its place (e.g. the entry in slot 2 moves to slot 1 when slot
+   # 1's entry is deleted)
+   ktutil: delent <slot num>
+   ktutil: delent <slot num>
+   ...
+
+   # List all entries to ensure only UPN entries are left
+   ktutil: list
+
+   # When only UPN entries are left, append these values to mssql.keytab
+   ktutil: wkt /var/opt/mssql/secrets/mssql.keytab
+
+   quit
+   ```
+
+4. Anyone with access to this `keytab` file can impersonate [!INCLUDE[ssNoVersion](../includes/ssnoversion-md.md)] on the domain, so make sure you restrict access to the file such that only the `mssql` account has read access:
 
    ```bash
    sudo chown mssql:mssql /var/opt/mssql/secrets/mssql.keytab
    sudo chmod 400 /var/opt/mssql/secrets/mssql.keytab
    ```
 
-4. Configure [!INCLUDE[ssNoVersion](../includes/ssnoversion-md.md)] to use this `keytab` file for Kerberos authentication:
+5. Configure [!INCLUDE[ssNoVersion](../includes/ssnoversion-md.md)] to use this `keytab` file for Kerberos authentication:
 
    ```bash
    sudo /opt/mssql/bin/mssql-conf set network.kerberoskeytabfile /var/opt/mssql/secrets/mssql.keytab
    sudo systemctl restart mssql-server
    ```
 
+6. Optional: Disable UDP connections to the domain controller to improve performance. In many cases, UDP connections will always fail when connecting to a domain controller, so you can set config options in `/etc/krb5.conf`  to skip UDP calls. Edit `/etc/krb5.conf` and set the following options:
+
+   ```/etc/krb5.conf
+   [libdefaults]
+   udp_preference_limit=0
+   ```
+
 ## <a id="createsqllogins"></a> Create AD-based logins in Transact-SQL
 
 1. Connect to [!INCLUDE[ssNoVersion](../includes/ssnoversion-md.md)] and create a new, AD-based login:
@@ -274,7 +313,7 @@ The specific connection string parameter for clients to use AD Authentication de
   * JDBC: [Using Kerberos Integrated Authentication to Connect SQL Server](https://docs.microsoft.com/sql/connect/jdbc/using-kerberos-integrated-authentication-to-connect-to-sql-server)
   * ODBC: [Using Integrated Authentication](https://docs.microsoft.com/sql/connect/odbc/linux/using-integrated-authentication)
   * ADO.NET: [Connection String Syntax](https://msdn.microsoft.com/library/system.data.sqlclient.sqlauthenticationmethod(v=vs.110).aspx)
-  
+ 
 ## Next steps
 
 In this tutorial, we walked through how to set up Active Directory authentication with SQL Server on Linux. You learned how to:

docs/relational-databases/security/encryption/encrypt-a-column-of-data.md

@@ -58,7 +58,7 @@ PASSWORD = '<some strong password>';
 ```  
 Always backup your database master key. For more information on database master keys, see [CREATE MASTER KEY &#40;Transact-SQL&#41;](../../../t-sql/statements/create-master-key-transact-sql.md).
 
-#### To encrypt a column of data using a simple symmetric encryption  
+#### To encrypt a column of data using symmetric encryption that includes an authenticator  
 
 1.  In **Object Explorer**, connect to an instance of [!INCLUDE[ssDE](../../../includes/ssde-md.md)].  
 
@@ -117,7 +117,7 @@ Always backup your database master key. For more information on database master
     GO  
     ```  
   
-#### To encrypt a column of data using symmetric encryption that includes an authenticator  
+#### To encrypt a column of data using a simple symmetric encryption  
   
 1.  In **Object Explorer**, connect to an instance of [!INCLUDE[ssDE](../../../includes/ssde-md.md)].  
   

docs/relational-databases/triggers/ddl-triggers.md

@@ -1,4 +1,4 @@
----
+---
 title: "DDL Triggers | Microsoft Docs"
 ms.custom: ""
 ms.date: "03/14/2017"
@@ -32,10 +32,10 @@ monikerRange: "= azuresqldb-current || >= sql-server-2016 || = sqlallproducts-al
 >  Test your DDL triggers to determine their responses to system stored procedures that are run. For example, the CREATE TYPE statement and the **sp_addtype** stored procedure will both fire a DDL trigger that is created on a CREATE_TYPE event.  
   
 ## Types of DDL Triggers  
- Transact-SQL DDL Trigger  
+ ### Transact-SQL DDL Trigger  
  A special type of [!INCLUDE[tsql](../../includes/tsql-md.md)] stored procedure that executes one more more [!INCLUDE[tsql](../../includes/tsql-md.md)] statements in response to a server-scoped or database-scoped event. For example, a DDL Trigger may fire if a statement such as ALTER SERVER CONFIGURATION is executed or if a table is deleted by using DROP TABLE.  
 
- CLR DDL Trigger  
+ ### CLR DDL Trigger  
  Instead of executing a [!INCLUDE[tsql](../../includes/tsql-md.md)] stored procedure, a CLR trigger executes one or more methods written in managed code that are members of an assembly created in the .NET Framework and uploaded in [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)].  
 
  DDL triggers fire only after the DDL statements that trigger them are run. DDL triggers cannot be used as INSTEAD OF triggers. DDL triggers do not fire in response to events that affect local or global temporary tables and stored procedures.  

docs/t-sql/statements/set-implicit-transactions-transact-sql.md

@@ -55,7 +55,7 @@ SET IMPLICIT_TRANSACTIONS { ON | OFF }
 
  When OFF, each of the preceding T-SQL statements is bounded by an unseen BEGIN TRANSACTION and an unseen COMMIT TRANSACTION statement. When OFF, we say the transaction mode is *autocommit*. If your T-SQL code visibly issues a BEGIN TRANSACTION, we say the transaction mode is *explicit*.  
 
- There are several clarifying point to understand:  
+ There are several clarifying points to understand:  
 
 -   When the transaction mode is implicit, no unseen BEGIN TRANSACTION is issued if @@trancount > 0 already. However, any explicit BEGIN TRANSACTION statements still increment @@TRANCOUNT.