Google Cloud: Managed Microsoft Active Directory
Managed Microsoft Active Directory (MS AD) is a fully managed Active Directory software as a service on Google Cloud Platform (GCP). Like many managed offerings, MS AD reduces the administrative overhead of running the service yourself. Setup is easy since all you need are five inputs.
Benefits:
- Locality. Active Directory close to your Microsoft workloads in GCP.
- Secure. Managed AD is not exposed to the Internet. All communication is via private IP from authorized networks.
- Geo-diversity. Multiple controllers can be deployed in different regions.
The base topology mirrors GCPs fault-tolerant Microsoft Active Directory environment. There are always two domain controllers deployed in separate zones within a region for high-availability. Additional controllers can be deployed in other regions for multi-region availability. Each domain supports up to four supported regions.
When a MS AD instance is created, a DNS forwarding Zone, a special type of private zone with DNS records that are visible only inside your organization, is also created and DNS peering is established between the authorized VPC and the MS AD VPC. The controllers are assigned dynamic private IP addresses from an IP address pool that you specify. These IP addresses are not visible to you so you connect using the controllers fully qualified domain name instead of IP address.
Deployment
There is a Codelabs provided by Google that you can experiment with. Below is a summary and variation of the process. These steps presume a VPC and subnets for your workloads are already created.
- Enable DNS and Managed Identities APIs.
gcloud services enable dns.googleapis.com
gcloud services enable managedidentities.googleapis.com2. Create the Domain Controllers. Specify the region where the controllers will be deployed and the authorized VPC (networks) that can access MS AD. The reserved IP range is a private /24 IP address space (RFC 1918) that you choose and should be unique within the AD domain. Since the domain controllers are in a dedicated VPC and connect to other VPCs using VPC Peering, peering will not establish if there are overlapping subnets. One suggestion is 192.168.255.0/24 since this is a valid range that is not commonly used.
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_NUMBER=$(gcloud projects describe ${PROJECT_ID} \
--format="value(projectNumber)")
export DOMAIN_NAME="ad.local"
export IP_RANGE="192.168.255.0/24"
export REGION="us-central1"
export VPC="vpc-1"gcloud active-directory domains create $DOMAIN_NAME \
--reserved-ip-range=$IP_RANGE \
--region=$REGION \
--authorized-networks=projects/$PROJECT_ID/global/networks/$VPC
Verify the deployment status. The deployment can take up to 60 mins to finish.
gcloud active-directory domains describe $DOMAIN_NAME3. The default username for the MS AD domain is “setupadmin”. Set the password for MS AD. If setting the password using the GCP console, the password will only appear once so take note. Otherwise, you will have to set it again.
#Set MS AD password using the gcloud command
gcloud active-directory domains reset-managed-identities-admin-password $DOMAIN_NAME
4. To manage your MS AD, create a Windows VM using a supported Windows version that acts as an administrative VM. Since MS AD cannot be accessed directly, you need the administrative VM to act as a client. Also, create a firewall rule to allow RDP connections. Finally, set the windows VM password. The VM can take 10 minutes before it’s ready.
export REGION="us-central1"
export ZONE="us-central1-a"
export VPC="vpc-1"
export SUBNET="subnet-1"
export VM_NAME="admin-vm"#Create Windows VM
gcloud compute instances create $VM_NAME \
--zone=$ZONE \
--machine-type=n1-standard-2 \
--subnet=$SUBNET \
--network-tier=PREMIUM \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--image=windows-server-2016-dc-v20181009 \
--image-project=windows-cloud \
--boot-disk-size=50GB \
--boot-disk-type=pd-standard#Create FW rule to allow RDP
gcloud compute firewall-rules create allow-rdp --network=$VPC --allow tcp:3389#Set Windows VM password
gcloud compute reset-windows-password --user=user1 $VM_NAME
5. Connect to the administrative Windows VM using RDP. In our example, our Windows Admin VM is a Windows 2016 Server running Server Manager. You can follow this guide to install RSAT on Windows 2016: Install Remote Server Administration Tools (RSAT). RSAT installation may differ on other Windows versions.
TIP: If you don’t want to install using the Windows GUI, you can use the following cmdlet in Windows Powershell (Administrative Mode), which works with Windows Server 2016, to install RSAT.
Once complete, you should see Active Directory tools under the Tools menu.
Install-WindowsFeature -Name "RSAT-AD-Tools" -IncludeAllSubFeature -IncludeManagementTools -Confirm
6. Add the administrative VM to the domain using the delegated administrator account “setupadmin” and the MS AD password you generated. Reboot the VM to join the domain. Login again with the delegated administrator account and use the AD tools you installed to connect and manage MS AD. Google Compute Engine (GCE) VMs are pre-configured to use CloudDNS and DNS Peering is established between the authorized VPC and MS AD VPC. Therefore, VMs can discover MS AD without any client side configuration, which is a nice operational benefit.
Managed Microsoft AD provides two Organizational Units (OUs): Cloud and Cloud Service Objects. Cloud is created in your Managed Microsoft AD domain to host all of your AD objects. You are granted full administrative access to the Cloud OU and can only update some attributes of the Cloud Service Objects OU. Use the Cloud OU to create users, groups, computers, or further sub-OUs.
Once MS AD is deployed, there are other design options such as hybrid deployments you can consider. Additional guides and considerations are listed in the Further Reading section.
Further Watching
Further ReadingGoogle Blog: Managed Service for Microsoft Active Directory is GA
CodeLabs: Cloud Managed Active Directory
Google Cloud: MS AD Documentation
Microsoft: Active Directory Domain Services Documentation
Google Cloud: Managed Active Directory FAQ
SADA Blog: Using GCP Managed Active Directory to Simplify Domain Authentication
Google Cloud: Managed Microsoft AD Best Practices
Google Cloud: Automatically created AD objects
Google Cloud: Troubleshooting Managed Microsoft AD
Google Cloud: Patterns for using Active Directory in a hybrid environment
Google Cloud: Configuring Active Directory for VMs to automatically join a domain
