Answer: Use Google Cloud Directory Sync to synchronize Active Directory usernames with cloud identities and configure SAML SSO.

The question requires integrating Google Cloud resources with an on-premises Active Directory domain controller while retaining it as the primary identity management source. Option B is the correct answer because Google Cloud Directory Sync (GCDS) synchronizes user accounts and groups from on-premises AD to Cloud Identity, enabling users to access GCP resources with their existing identities. Configuring SAML SSO allows authentication to be delegated to the on-premises AD, ensuring passwords remain on-premises. This approach aligns with Google's recommended practice for federating GCP with Active Directory. Option A is incorrect as the Admin Directory API is not designed for AD authentication. Option C is suboptimal because Cloud IAP alone does not synchronize identities and may not support direct AD integration without additional components like ADFS. Option D is incorrect as it involves creating a replica AD domain controller in GCP, which contradicts the requirement to retain the on-premises AD as the primary source. The community discussion strongly supports B, with 89% consensus, citing official documentation and reasoning that GCDS with SAML SSO meets the requirement effectively.

Author: LeetQuiz Editorial Team