Exam AZ-303 topic 3 question 20 discussion

You need to recommend a solution for the hybrid scenario that minimizes the amount of maintenance required. So Join the Azure VMs on On Prem AD connected via VPN

Shouldn't the answer in box 1 be "join the VMs to AD DS" ?

https://4sysops.com/archives/join-an-azure-vm-to-an-on-prem-active-directory/

I could definately see connecting directely over the VPN working and you could argue that it will reduce maintenace. However, framing the question from a Microsoft best practice exam question, I can't see MS suggesting connecting your Azure VM's directly over a single non-resilitant VPN WAN link and Im pretty sure they would expect a local DC and AD Site in Azure to handle Authentication etc if the VPN was down. So while 1&1 would work I think MS would be looking for 2&1.

Question appeared On AZ-303 exam on 08/12/2021 - 49 questions, 4Q - Fabrikan case study

On exam today 22/11/21 Score 839

A and A --- Minimum maintenance

Was on the exam 30/08 passed with 871. Answered 1 and 1

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/ The Azure AD directory is not an extension of an on-premises directory. Rather, it's a copy that contains the same objects and identities. Changes made to these items on-premises are copied to Azure AD, but changes made in Azure AD are not replicated back to the on-premises domain. Join to existing on-premises domain Minimise maintenance so connection is VPN then

The right way to do it would be another DC in Azure - so you can join the domain with less latency - however more headache to setup, create a new site blah blah. Simply creating a S2S VPN and then just joining them to the domain would also work and be the least maintenance A and A (or 1 and 1 which ever you prefer)

I had this question in the exam that i took on July 14th 2021

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/ 3, 1

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/scenarios#secure-administration-of-azure-virtual-machines

"hybrid scenario that minimizes the amount of maintenance" Why on earth would you create a new domain controller!?!

This document gives this explanation: i think B and A are correct Azure provides two solutions for implementing directory and identity services in Azure: Use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD. Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain Controller. This architecture is more common when the on-premises network and the Azure virtual network (VNet) are connected by a VPN or ExpressRoute connection. Several variations of this architecture are possible: Create a domain in Azure and join it to your on-premises AD forest. Create a separate forest in Azure that is trusted by domains in your on-premises forest. Replicate an Active Directory Federation Services (AD FS) deployment to Azure.

For minimal maintenance you would just use the on-premise domain and that requires a VPN. A and A are correct. The work to do this requires the set up of DNS solution in Auzre and configuring your VMs correctly but this isn't on going work i.e. it's not maintenance.

For minimal maintenance you would just use the on-premise domain and that requires a VPN. A and A are correct. The work to do this requires the set up of DNS solution in Auzre and configuring your VMs correctly but this isn't on going work i.e. it's not maintenance.