diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Change Log
 
+## [v3.5.0](https://github.com/sensu/sensu-puppet/tree/v3.5.0) (2019-07-21)
+[Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.4.1...v3.5.0)
+
+**Merged pull requests:**
+
+- AD Auth updates [\#1124](https://github.com/sensu/sensu-puppet/pull/1124) ([treydock](https://github.com/treydock))
+
 ## [v3.4.1](https://github.com/sensu/sensu-puppet/tree/v3.4.1) (2019-07-19)
 [Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.4.0...v3.4.1)
 
@@ -18,7 +25,6 @@
 - Add ability to run acceptance tests against Sensu-Go CI builds [\#1115](https://github.com/sensu/sensu-puppet/pull/1115) ([treydock](https://github.com/treydock))
 - Support listing sensuctl resources using chunk-size [\#1114](https://github.com/sensu/sensu-puppet/pull/1114) ([treydock](https://github.com/treydock))
 - Regenerate backend test cert to include additional SANs [\#1113](https://github.com/sensu/sensu-puppet/pull/1113) ([treydock](https://github.com/treydock))
-- Support Sensu Go 5.6 [\#1105](https://github.com/sensu/sensu-puppet/pull/1105) ([treydock](https://github.com/treydock))
 
 ## [v3.3.0](https://github.com/sensu/sensu-puppet/tree/v3.3.0) (2019-05-18)
 [Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.2.0...v3.3.0)
@@ -33,6 +39,10 @@
 ## [v3.2.0](https://github.com/sensu/sensu-puppet/tree/v3.2.0) (2019-05-06)
 [Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.1.0...v3.2.0)
 
+**Merged pull requests:**
+
+- Support Sensu Go 5.6 [\#1105](https://github.com/sensu/sensu-puppet/pull/1105) ([treydock](https://github.com/treydock))
+
 ## [v3.1.0](https://github.com/sensu/sensu-puppet/tree/v3.1.0) (2019-04-19)
 [Full Changelog](https://github.com/sensu/sensu-puppet/compare/v3.0.0...v3.1.0)
 

diff --git a/REFERENCE.md b/REFERENCE.md
@@ -759,13 +759,18 @@ Default value: present
 
 ##### `servers`
 
-AD servers
-Defaults:
-* insecure: false
-* security: tls
-* trusted_ca_file: ""
-* client_cert_file: ""
-* client_key_file: ""
+AD servers as Array of Hashes
+
+Keys:
+* host: required
+* port: required
+* insecure: default is `false`
+* security: default is `tls`
+* trusted_ca_file: default is `""`
+* client_cert_file: default is `""`
+* client_key_file: default is `""`
+* default_upn_domain: default is `""`
+* include_nested_groups: Boolean
 
 ##### `server_binding`
 
@@ -774,18 +779,20 @@ AD server bindings
 ##### `server_group_search`
 
 Search configuration for groups.
-Defaults:
-* attribute: member
-* name_attribute: cn
-* object_class: group
+Keys:
+* base_dn: required
+* attribute: default is `member`
+* name_attribute: default is `cn`
+* object_class: default is `group`
 
 ##### `server_user_search`
 
 Search configuration for users.
-Defaults:
-* attribute: sAMAccountName
-* name_attribute: displayName
-* object_class: person
+Keys:
+* base_dn: required
+* attribute: default is `sAMAccountName`
+* name_attribute: default is `displayName`
+* object_class: default is `person`
 
 ##### `groups_prefix`
 
@@ -1881,13 +1888,16 @@ Default value: present
 
 ##### `servers`
 
-LDAP servers
-Defaults:
-* insecure: false
-* security: tls
-* trusted_ca_file: ""
-* client_cert_file: ""
-* client_key_file: ""
+LDAP servers as Array of Hashes
+
+Keys:
+* host: required
+* port: required
+* insecure: default is `false`
+* security: default is `tls`
+* trusted_ca_file: default is `""`
+* client_cert_file: default is `""`
+* client_key_file: default is `""`
 
 ##### `server_binding`
 
@@ -1896,18 +1906,20 @@ LDAP server bindings
 ##### `server_group_search`
 
 Search configuration for groups.
-Defaults:
-* attribute: member
-* name_attribute: cn
-* object_class: groupOfNames
+Keys:
+* base_dn: required
+* attribute: default is `member`
+* name_attribute: default is `cn`
+* object_class: default is `groupOfNames`
 
 ##### `server_user_search`
 
 Search configuration for users.
-Defaults:
-* attribute: uid
-* name_attribute: cn
-* object_class: person
+Keys:
+* base_dn: required
+* attribute: default is `uid`
+* name_attribute: default is `cn`
+* object_class: default is `person`
 
 ##### `groups_prefix`
 

diff --git a/lib/puppet/provider/sensu_ad_auth/sensuctl.rb b/lib/puppet/provider/sensu_ad_auth/sensuctl.rb
@@ -33,6 +33,8 @@ def self.instances
         s['trusted_ca_file'] = server['trusted_ca_file']
         s['client_cert_file'] = server['client_cert_file']
         s['client_key_file'] = server['client_key_file']
+        s['default_upn_domain'] = server['default_upn_domain']
+        s['include_nested_groups'] = server['include_nested_groups']
         binding[s['host']] = server['binding']
         group_search[s['host']] = server['group_search']
         user_search[s['host']] = server['user_search']

diff --git a/lib/puppet/type/sensu_ad_auth.rb b/lib/puppet/type/sensu_ad_auth.rb
@@ -58,13 +58,18 @@
 
   newproperty(:servers, :array_matching => :all, :parent => PuppetX::Sensu::ArrayOfHashesProperty) do
     desc <<-EOS
-    AD servers
-    Defaults:
-    * insecure: false
-    * security: tls
-    * trusted_ca_file: ""
-    * client_cert_file: ""
-    * client_key_file: ""
+    AD servers as Array of Hashes
+
+    Keys:
+    * host: required
+    * port: required
+    * insecure: default is `false`
+    * security: default is `tls`
+    * trusted_ca_file: default is `""`
+    * client_cert_file: default is `""`
+    * client_key_file: default is `""`
+    * default_upn_domain: default is `""`
+    * include_nested_groups: Boolean
     EOS
     validate do |server|
       if ! server.is_a?(Hash)
@@ -86,7 +91,12 @@
       if server.key?('security') && ! ['tls','starttls','insecure'].include?(server['security'].to_s)
         raise ArgumentError, "server security must be tls, starttls or insecure, not #{server['security']}"
       end
-      valid_keys = ['host','port','insecure','security','trusted_ca_file','client_cert_file','client_key_file']
+      if server.key?('include_nested_groups') && ! [TrueClass,FalseClass].include?(server['include_nested_groups'].class)
+        raise ArgumentError, "server include_nested_groups must be a Boolean"
+      end
+      valid_keys = ['host','port','insecure','security',
+        'trusted_ca_file','client_cert_file','client_key_file',
+        'default_upn_domain', 'include_nested_groups']
       server.keys.each do |key|
         if ! valid_keys.include?(key)
           raise ArgumentError, "#{key} is not a valid key for server"
@@ -100,11 +110,14 @@
       if ! server.key?('security')
         server['security'] = 'tls'
       end
-      ['trusted_ca_file','client_cert_file','client_key_file'].each do |k|
+      ['trusted_ca_file','client_cert_file','client_key_file','default_upn_domain'].each do |k|
         if ! server.key?(k)
           server[k] = ''
         end
       end
+      if ! server.key?('include_nested_groups')
+        server['include_nested_groups'] = nil
+      end
       server
     end
   end
@@ -146,10 +159,11 @@ def should_to_s(newvalue)
   newproperty(:server_group_search, :parent => PuppetX::Sensu::HashProperty) do
     desc <<-EOS
     Search configuration for groups.
-    Defaults:
-    * attribute: member
-    * name_attribute: cn
-    * object_class: group
+    Keys:
+    * base_dn: required
+    * attribute: default is `member`
+    * name_attribute: default is `cn`
+    * object_class: default is `group`
     EOS
     validate do |server_group_search|
       super(server_group_search)
@@ -190,10 +204,11 @@ def should_to_s(newvalue)
   newproperty(:server_user_search, :parent => PuppetX::Sensu::HashProperty) do
     desc <<-EOS
     Search configuration for users.
-    Defaults:
-    * attribute: sAMAccountName
-    * name_attribute: displayName
-    * object_class: person
+    Keys:
+    * base_dn: required
+    * attribute: default is `sAMAccountName`
+    * name_attribute: default is `displayName`
+    * object_class: default is `person`
     EOS
     validate do |server_user_search|
       super(server_user_search)

diff --git a/lib/puppet/type/sensu_ldap_auth.rb b/lib/puppet/type/sensu_ldap_auth.rb
@@ -58,13 +58,16 @@
 
   newproperty(:servers, :array_matching => :all, :parent => PuppetX::Sensu::ArrayOfHashesProperty) do
     desc <<-EOS
-    LDAP servers
-    Defaults:
-    * insecure: false
-    * security: tls
-    * trusted_ca_file: ""
-    * client_cert_file: ""
-    * client_key_file: ""
+    LDAP servers as Array of Hashes
+
+    Keys:
+    * host: required
+    * port: required
+    * insecure: default is `false`
+    * security: default is `tls`
+    * trusted_ca_file: default is `""`
+    * client_cert_file: default is `""`
+    * client_key_file: default is `""`
     EOS
     validate do |server|
       if ! server.is_a?(Hash)
@@ -146,10 +149,11 @@ def should_to_s(newvalue)
   newproperty(:server_group_search, :parent => PuppetX::Sensu::HashProperty) do
     desc <<-EOS
     Search configuration for groups.
-    Defaults:
-    * attribute: member
-    * name_attribute: cn
-    * object_class: groupOfNames
+    Keys:
+    * base_dn: required
+    * attribute: default is `member`
+    * name_attribute: default is `cn`
+    * object_class: default is `groupOfNames`
     EOS
     validate do |server_group_search|
       super(server_group_search)
@@ -190,10 +194,11 @@ def should_to_s(newvalue)
   newproperty(:server_user_search, :parent => PuppetX::Sensu::HashProperty) do
     desc <<-EOS
     Search configuration for users.
-    Defaults:
-    * attribute: uid
-    * name_attribute: cn
-    * object_class: person
+    Keys:
+    * base_dn: required
+    * attribute: default is `uid`
+    * name_attribute: default is `cn`
+    * object_class: default is `person`
     EOS
     validate do |server_user_search|
       super(server_user_search)

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "sensu-sensu",
-  "version": "3.4.1",
+  "version": "3.5.0",
   "author": "sensu",
   "summary": "A module to install the Sensu monitoring framework",
   "license": "MIT",

diff --git a/spec/acceptance/sensu_ad_auth_spec.rb b/spec/acceptance/sensu_ad_auth_spec.rb
@@ -61,6 +61,8 @@ class { '::sensu::backend':
         expect(data['servers'][0]['port']).to eq(389)
         expect(data['servers'][0]['insecure']).to eq(false)
         expect(data['servers'][0]['security']).to eq('tls')
+        expect(data['servers'][0]['default_upn_domain']).to eq('')
+        expect(data['servers'][0]['include_nested_groups']).to be_nil
         expect(data['servers'][0]['binding']).to eq({'user_dn' => 'cn=binder,dc=acme,dc=org', 'password' => 'P@ssw0rd!'})
         expect(data['servers'][0]['group_search']).to eq({'base_dn' => 'dc=acme,dc=org','attribute' => 'member','name_attribute' => 'cn','object_class' => 'group'})
         expect(data['servers'][0]['user_search']).to eq({'base_dn' => 'dc=acme,dc=org','attribute' => 'sAMAccountName','name_attribute' => 'displayName','object_class' => 'person'})
@@ -80,6 +82,8 @@ class { '::sensu::backend':
           {
             'host' => 'localhost',
             'port' => 636,
+            'default_upn_domain' => 'example.com',
+            'include_nested_groups' => true,
           },
         ],
         server_binding      => {
@@ -122,6 +126,8 @@ class { '::sensu::backend':
         expect(data['servers'][0]['port']).to eq(636)
         expect(data['servers'][0]['insecure']).to eq(false)
         expect(data['servers'][0]['security']).to eq('tls')
+        expect(data['servers'][0]['default_upn_domain']).to eq('example.com')
+        expect(data['servers'][0]['include_nested_groups']).to eq(true)
         expect(data['servers'][0]['binding']).to eq({'user_dn' => 'cn=test,dc=acme,dc=org', 'password' => 'password'})
         expect(data['servers'][0]['group_search']).to eq({'base_dn' => 'dc=acme,dc=org','attribute' => 'member','name_attribute' => 'cn','object_class' => 'group'})
         expect(data['servers'][0]['user_search']).to eq({'base_dn' => 'dc=acme,dc=org','attribute' => 'sAMAccountName','name_attribute' => 'displayName','object_class' => 'person'})

diff --git a/spec/fixtures/unit/provider/sensu_ad_auth/sensuctl/list.json b/spec/fixtures/unit/provider/sensu_ad_auth/sensuctl/list.json
@@ -24,7 +24,8 @@
           "attribute": "sAMAccountName",
           "name_attribute": "displayName",
           "object_class": "person"
-        }
+        },
+        "default_upn_domain": ""
       }
     ],
     "groups_prefix": "",
@@ -58,7 +59,8 @@
           "attribute": "sAMAccountName",
           "name_attribute": "displayName",
           "object_class": "person"
-        }
+        },
+        "default_upn_domain": ""
       }
     ],
     "groups_prefix": "",

diff --git a/spec/unit/provider/sensu_ad_auth/sensuctl_spec.rb b/spec/unit/provider/sensu_ad_auth/sensuctl_spec.rb
@@ -42,6 +42,8 @@
           'trusted_ca_file' => '',
           'client_cert_file' => '',
           'client_key_file' => '',
+          'default_upn_domain' => '',
+          'include_nested_groups' => nil,
           'binding' => {'user_dn' => 'cn=foo', 'password' => 'foo'},
           'group_search' => {'base_dn' => 'ou=Groups','attribute' => 'member','name_attribute' => 'cn','object_class' => 'group'},
           'user_search' => {'base_dn' => 'ou=People','attribute' => 'sAMAccountName','name_attribute' => 'displayName','object_class' => 'person'},
@@ -65,6 +67,8 @@
           'trusted_ca_file' => '',
           'client_cert_file' => '',
           'client_key_file' => '',
+          'default_upn_domain' => '',
+          'include_nested_groups' => nil,
           'group_search' => {'base_dn' => 'ou=Groups','attribute' => 'member','name_attribute' => 'cn','object_class' => 'group'},
           'user_search' => {'base_dn' => 'ou=People','attribute' => 'sAMAccountName','name_attribute' => 'displayName','object_class' => 'person'},
         }]
@@ -96,6 +100,8 @@
           'trusted_ca_file' => '',
           'client_cert_file' => '',
           'client_key_file' => '',
+          'default_upn_domain' => '',
+          'include_nested_groups' => nil,
           'binding' => {'user_dn' => 'cn=foo', 'password' => 'bar'},
           'group_search' => {'base_dn' => 'ou=Groups','attribute' => 'member','name_attribute' => 'cn','object_class' => 'group'},
           'user_search' => {'base_dn' => 'ou=People','attribute' => 'sAMAccountName','name_attribute' => 'displayName','object_class' => 'person'},

diff --git a/spec/unit/sensu_ad_auth_spec.rb b/spec/unit/sensu_ad_auth_spec.rb
@@ -175,6 +175,8 @@
         'trusted_ca_file' => '',
         'client_cert_file' => '',
         'client_key_file' => '',
+        'default_upn_domain' => '',
+        'include_nested_groups' => nil,
       }]
       expect(auth[:servers]).to eq(expected)
     end
@@ -202,6 +204,10 @@
       config[:servers] = [{'host' => 'test', 'port' => 389, 'security' => 'foo'}]
       expect { auth }.to raise_error(Puppet::Error, /server security must be tls, starttls or insecure/)
     end
+    it 'should require boolean for include_nested_groups' do
+      config[:servers] = [{'host' => 'test', 'port' => 389, 'include_nested_groups' => 'true'}]
+      expect { auth }.to raise_error(Puppet::Error, /server include_nested_groups must be a Boolean/)
+    end
   end
 
   describe 'server_binding' do