Question 238 of 500
Managing operations in a cloud solution environmentmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain. This is correct because a two-way trust enables seamless Kerberos authentication flow, allowing on-premises users to authenticate to Compute Engine Windows instances using their existing credentials without duplicating identities or requiring additional user setup. On the Google Professional Cloud Security Engineer exam, this scenario tests your understanding of identity federation and secure domain integration, often appearing as a distractor against options like one-way trusts or manual user provisioning. A common trap is choosing a one-way trust, which only allows authentication in one direction and fails to meet the scalability requirement. Memory tip: think “two-way trust = two-way traffic for credentials,” ensuring on-premises users can reach cloud resources and cloud resources can validate them back.

PCSE Practice Question: Managing operations in a cloud solution environment

This PCSE practice question tests your understanding of managing operations in a cloud solution environment. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company is migrating its on-premises Microsoft Active Directory to Google Cloud using Managed Microsoft AD (Microsoft AD). They need to ensure that users can authenticate to Compute Engine Windows instances using their on-premises credentials without additional user setup. What is the most secure and scalable approach?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain.

Option B is correct because establishing a two-way trust between Managed Microsoft AD and the on-premises AD domain allows users to authenticate to Compute Engine Windows instances using their existing on-premises credentials without any additional user setup. This trust enables Kerberos authentication to flow seamlessly across the two domains, ensuring that on-premises users can access cloud resources securely and scalably without duplicating identities or credentials.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure the Windows instances to join the on-premises AD domain directly via VPN.

    Why it's wrong here

    Domain join alone does not manage authentication; users would still need to authenticate to on-premises DCs.

  • Create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain.

    Why this is correct

    A trust enables on-premises users to authenticate to resources in the cloud domain without duplicating identities.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Synchronize on-premises users to Managed Microsoft AD using Google Cloud Directory Sync (GCDS).

    Why it's wrong here

    GCDS syncs to Google Cloud Directory, not Managed Microsoft AD.

  • Store on-premises user credentials in Cloud KMS and use a custom authentication script.

    Why it's wrong here

    This approach is insecure and not scalable.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Google Cloud often tests the misconception that directory synchronization (like GCDS) is sufficient for authentication, but candidates must understand that synchronization alone does not enable single sign-on or credential validation—only a trust or federation (e.g., via Active Directory Federation Services) allows users to authenticate with their existing on-premises passwords.

Detailed technical explanation

How to think about this question

A two-way trust between Managed Microsoft AD and on-premises AD uses Kerberos v5 authentication, where the Managed Microsoft AD domain acts as a resource domain and the on-premises domain as the account domain. Under the hood, the trust establishes a secure channel using a shared inter-domain key, enabling transitive authentication; this means users from the on-premises domain can authenticate to Windows instances in the Managed Microsoft AD domain without any password synchronization, and group memberships are resolved via the global catalog. In a real-world scenario, this approach supports hybrid identity scenarios where on-premises users need access to cloud-based Windows VMs, and it scales automatically as Managed Microsoft AD handles domain controller replication and failover within Google Cloud.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCSE practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCSE practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCSE question test?

Managing operations in a cloud solution environment — This question tests Managing operations in a cloud solution environment — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Create a two-way trust between the Managed Microsoft AD domain and the on-premises AD domain. — Option B is correct because establishing a two-way trust between Managed Microsoft AD and the on-premises AD domain allows users to authenticate to Compute Engine Windows instances using their existing on-premises credentials without any additional user setup. This trust enables Kerberos authentication to flow seamlessly across the two domains, ensuring that on-premises users can access cloud resources securely and scalably without duplicating identities or credentials.

What should I do if I get this PCSE question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 30, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCSE practice question is part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCSE exam.