Exam AZ-500 topic 2 question 16 discussion

Wrong: https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-architecture

You have hybrid enviroment so AD DS is alredy in place, you would need site to site vpn so the answer is no.

To support the answer: Yes, deploying Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription can be a solution to allow users to authenticate to the HDInsight cluster using their on-premises Active Directory credentials. Here's why: 1. Azure AD DS provides a managed domain service that is compatible with traditional Active Directory Domain Services 2. It enables one-way synchronization from Azure AD to the managed domain, allowing access to a central set of users, groups, and credentials 3. For hybrid environments with on-premises AD, Azure AD Connect can be used to synchronize identity information with Azure AD, which then synchronizes with Azure AD DS 4. This setup allows users to log in to services and applications connected to the managed domain using their existing credentials Set up different domain controllers Answer = A

Answer: No According to the Microsoft documentation you referenced, connecting an Azure HDInsight cluster directly to an on-premises Active Directory (AD) domain is not supported. Therefore, the correct answer to the question "You need to configure the environment to support the planned authentication." is No. Deploying Azure Active Directory Domain Services (Azure AD DS) does not directly meet the goal of allowing users to authenticate to the HDInsight cluster using their on-premises AD credentials.

Yes, deploying Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription meets the goal of allowing users to authenticate to the Azure HDInsight cluster using their on-premises Active Directory credentials in a hybrid Azure AD configuration. Azure AD DS provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory. By integrating Azure AD DS with your Azure HDInsight cluster on a virtual network, you can leverage these domain services to enable seamless authentication using on-premises Active Directory credentials. This setup allows users to access the HDInsight cluster with their existing credentials, facilitating a smoother and more secure integration between on-premises and cloud resources. This approach is particularly effective in hybrid environments where organizations wish to extend their on-premises identity infrastructure to Azure services, ensuring that authentication and access control are centrally managed.

Currently, HDInsight only supports Microsoft Entra Domain Services as the primary domain controller that the cluster uses for Kerberos communication. But other complex Active Directory configurations are possible, as long as such configuration leads to enabling Microsoft Entra Domain Services for access to HDInsight.

A VPN is required. By Using AD DS, this will convert the AAD Synced (or now Entra ID) synced entities into a one-way sync to AAD DS. But this isn't using the local on-prem account. This is using the Microsoft Hybrid Section of the account. (i.e. AD DS maybe contoso.local, but Entra ID will be contoso.com. AD DS will be Contoso.com (or whatever domain you select when you set it up). It's asking to use the on-prem account (contoso.local), not a converted Microsoft account.

I suspect the Answer is B, but the question is worded incorrect. The answer suggests the HDInsight is on-Prem rather than the original question reporting it's in cloud.

Answer: A Explanation: Azure Active Directory Domain Services Azure AD DS provides a managed domain that's fully compatible with Windows Server Active Directory. Microsoft takes care of managing, patching, and monitoring the domain in a highly available (HA) setup. You can deploy your cluster without worrying about maintaining domain controllers. Users, groups, and passwords are synchronized from Azure AD. The one-way sync from your Azure AD instance to Azure AD DS enables users to sign in to the cluster by using the same corporate credentials.

Yes is answer, deploying Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription can meet the goal of allowing users to authenticate to the Azure HDInsight cluster using their on-premises Active Directory credentials. Azure AD DS provides the capability to extend your on-premises Active Directory to Azure, allowing seamless authentication for resources hosted in Azure, including HDInsight clusters

Correct answer is A - YES. You don't need a VPN with OnPrem to connect to HDInsights. It would be relevant if you need connection between HDInsights and onPrem servers and/or want to remove/restric public traffic. HDIsights can be accessed from internet no matters of the authentication method. https://learn.microsoft.com/en-us/azure/hdinsight/hdinsight-virtual-network-architecture Now you want to connects HDI with on-prem AD DS identities. The only supported way is to use Azure AD DS (An Azure Service, different from your onprem AD DS). Azure AD DS needs AD connect with PHS from On-Prem AD DS to Azure AD. You are in Hybrid config so already setup AD Connects. Azure AD DS is deplpoyed in a VNEt and needs to be Perred with HDInsights VNet. That's it. https://learn.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-create-configure-enterprise-security-cluster

https://learn.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-architecture If PHS is confirmed to be configured and Azure ADDS can be reached it will do the work. So I would go for NO on these basis and not that it needs to be connected via VPN.

https://learn.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds

Yes, deploying Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription would meet the goal of allowing users to authenticate to the Azure HDInsight cluster using their on-premises Active Directory credentials. Azure AD DS provides managed domain services that can be used to join HDInsight clusters to an Azure AD DS-managed domain. This allows users to authenticate using their on-premises AD credentials seamlessly. Therefore, the solution meets the goal.

A: YES

A. Yes

answer should be No, it must use VPN source:https://learn.microsoft.com/en-us/azure/hdinsight/connect-on-premises-network