none
HGS Requirements

תשובות

  • Hello Michael,

    No problem when I was saying semantic question it's because when they say "you will need to configure an Active Directory trust between the fabric domain and the HGS domain" you don't really know the direction of the trust part and it's always annoying.

    That's why when I see this type of explanation I will always try to have a schema or the command used in order to be sure of the direction

    Anyway as far as I understand I don't think it's logic to have the trust in the other direction

    Best Regards,

    • סומן כתשובה על-ידי MF47 יום רביעי 18 יולי 2018 10:06
    יום שלישי 17 יולי 2018 09:12

כל התגובות

  • Hello,

    If you look at this step you will have the information

    https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-configure-dns-forwarding-and-trust

    Based on the command netdom trust it seems that HGS domain should trust the fabric domain

    Best Regards,

    יום חמישי 12 יולי 2018 16:50
  • Hello Dokoh,

    First of all, when I read some documentation describing some feature/technology I expect to see the full explanation, not the one that makes me start looking for another piece of documentation somewhere on the technet.

    Regarding the article you mentioned: I've already read it and also concluded that HGS domain should trust Fabric domain. Moreover, I've deployed guarded fabric in my own test network in that way and it works perfect. And that is why I'm asking that question - because in all MS 70-744 exam questions Fabric domain(s) trust(s) HGS domain(s), not vice versa!!! Should I conclude that people who was making the exam questions didn't read the article you posted above?

    Regards,
    Michael


    • נערך על-ידי MF47 יום שישי 13 יולי 2018 07:21
    יום שישי 13 יולי 2018 07:03
  • Hello Michael,

    Your question is a semantic question and regarding that that's why I looked at the implementation plan to be sure that I was understanding well your question.

    Looking around on MVP blogs like the one below and comparing it to the schema in the article below it really seems that HGS domain should trust Fabric domain and not the reverse because they need to prove their identities to the HGS which don't have the information regarding the identities in the HGS domain.

    https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-deployment-overview

    https://blogs.msmvps.com/acefekay/2016/11/02/active-directory-trusts/

    The article below express the same and it is from Microsoft "In this example, two external trust relationships exist between domains in the Windows Server 2003 forest and the Windows 2000 forest. The direction of the one-way external trust arrow indicates that the sales.corp.worldwideimporters.com domain trusts the rome.europe.corp.tailspintoys.com domain, which means that users in the rome.europe.corp.tailspintoys.com domain can access resources in the sales.corp.worldwideimporters.com domain."

    https://technet.microsoft.com/pt-pt/library/cc773178(v=ws.10).aspx

    So maybe it's the MVP blog, docs or technet which are wrong and the MS 70-744 which are right

    Best Regards,

    יום שישי 13 יולי 2018 15:50
  • Hello Dokoh,

    "Your question is a semantic question " - totally disagree: it's not the semantic question but the key point of AD-implementation of guarded fabric. The lack of understanding in such important area of HGS technology may lead to incorrect deployments. The MVP blogs you mentioned can not be wrong simply because AD-based HGS service works fine when deployed according to them, so when I see the questions on MS exam like "Fabric domain trusts HGS domain" I have just one feeling: exam makers do not understand what they are asking the examinees... shame on MS!

    Thank you for your help, Dokoh.

    Regards,
    Michael

    יום שלישי 17 יולי 2018 07:52
  • Hello Michael,

    No problem when I was saying semantic question it's because when they say "you will need to configure an Active Directory trust between the fabric domain and the HGS domain" you don't really know the direction of the trust part and it's always annoying.

    That's why when I see this type of explanation I will always try to have a schema or the command used in order to be sure of the direction

    Anyway as far as I understand I don't think it's logic to have the trust in the other direction

    Best Regards,

    • סומן כתשובה על-ידי MF47 יום רביעי 18 יולי 2018 10:06
    יום שלישי 17 יולי 2018 09:12
  • "Anyway as far as I understand I don't think it's logic to have the trust in the other direction" - now I'd say "Neither do I", but when I was reading the HGS documentation for the first time I thought that Fabric domain should trust HGS domain because it must trust HGS attestetion data...

    Regards,
    Michael


    • נערך על-ידי MF47 יום שלישי 17 יולי 2018 12:37
    יום שלישי 17 יולי 2018 12:37