Please correct documentation

[aravish]

Self-signed cert needs to be generated by below command for the HDI cluster to provision correctly.

New-SelfSignedCertificate -Subject .contoso100.com -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName ".contoso100.com","contoso100.com"

Errors encountered if not done via above command ,"ErrorCode":"DomainNotFoundInActiveDirectory","ErrorMessage":"Domain contoso100.com not found in the Active Directory."

• com.microsoft.util.RetryException: com.microsoft.DomainOperationNonRetryableException: An SSL exception occurred while trying to communicate with the Active Directory. Make sure the certificate associated with the Active Directory is valid.

• Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching contoso100.com found.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 41c4b68f-055e-3983-68dd-fc37c3f72da9
• Version Independent ID: 0008043c-8703-85b4-ff09-3a087a65c29b
• Content: Configure Secure LDAP (LDAPS) in Azure AD Domain Services
• Content Source: articles/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.md
• Service: active-directory
• GitHub Login: @eringreenlee
• Microsoft Alias: ergreenl

[Alberto-Vega]

@aravish Thank you for your feedback! Could you link the URL of the documentation you were following? That way, we can pass your feedback to the appropriate content author.

[aravish]

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap

[aravish]

PowerShell script to be updated with below

$lifetime=Get-Date New-SelfSignedCertificate -Subject .contoso100.com -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName ".contoso100.com","contoso100.com"

[messy17]

@MarileeTurscak-MSFT please assign to me.

[messy17]

We reported this issue to the HDI team. They informed us this problem is resolved. Wildcard certificates always begin with an asterisk (*).

please-close

[VolodymyrMolodets]

It is worth mentioning that even if you do generate self-signed certificate using the command above, you can still face the very same error if the vnet you are deploying to is not configured with the IP-addresses of DNS servers for AADDS. I ran into this even though I had vnet peering with AADDS vnet configured.