Configure Microsoft Active Directory Domain Controllers on Google Cloud

Request Demo

Configuring the Network Environment

Before you create virtual machine instances, you need to create the VPC network and configure it to host a Microsoft Active Directory environment.

Microsoft Active Directory environment

Create the VPC network:

You create your VPC network with subnets in two different regions.

  1. In the Cloud Console, go to the VPC networks page:
  2. Click Create VPC network.
  3. For Name, enter example.
  4. For Subnet creation mode, choose Custom.
  5. In the New subnet section, specify the following configuration parameters for the first subnet in us-central1:
    1. Enter Name, enter example.
    2. Enter Region, select us-central1.
    3. Enter IP address range, enter 10.0.0.0/16.
    4. Under Private Google access, select On.
    5. Click Done.
  6. To add another subnet in us-east4, click Add subnet and specify the following configuration parameters:
    1. For Name, enter example.
    2. For Region, select us-east4.
    3. For IP address range, enter 10.1.0.0/16.
    4. Under Private Google access, select On.
    5. Click Done.
  7. Click Create.

Create the domain controller firewall rule:

  1. In the Cloud Console, go to the Firewall rules page:
  2. Click Create firewall rule.
  3. For Name, enter example.allow-dc.
    This name must be unique for the project.
  4. For Network, choose example to specify the network where the firewall rule will be implemented.
  5. For Priority, leave the default value, 1000.
    The lower the number, the higher the priority.
  6. For Direction of traffic, choose ingress.
  7. For Action on match, choose allow.
  8. For Targets, choose Specified Target tags, and in the Target tags field, enter dc for the tag to which the rule should apply.
  9. For Source filter, choose IP ranges and enter the following CIDR blocks into the Source IP ranges field to define the source for incoming traffic: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
  10. For Protocols and port, choose Specified protocols and ports to define the protocols and ports to which the rule applies:
    1. Select tcp, and enter the following comma-delimited list of ports: 88,135,389,445,464,636,3268,3269,49152-65535.
    2. Select udp, and enter the following comma-delimited list of ports: 88,123,389,464.
    3. Select Other protocols and include icmp.
  11. Click Create.

Create the DNS firewall rule:

  1. Click Create firewall rule.
  2. For Name, enter example.allow-dns.
    This name must be unique for the project.
  3. For Network, choose example to specify the network where the firewall rule will be implemented.
  4. For Priority, leave the default value, 1000.
    The lower the number, the higher the priority.
  5. For Direction of traffic, choose ingress.
  6. For Action on match, choose allow.
  7. For Targets, choose Specified Target tags, and in the Target tags field, enter dns for the tags to which the rule should apply.
  8. Choose IP ranges for the Source filter, and type the following CIDR blocks into the Source IP ranges field to define the source for incoming traffic: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 35.199.192.0/19.
  9. For Protocols and ports, choose Specified protocols and ports to define the protocols and ports to which the rule applies:
    1. Select tcp, and enter the following port: 53.
    2. Select udp, and enter the following port: 53.
  10. Click Create.

Create the Remote Desktop firewall rule:

  1. Click Create firewall rule.
  2. For Name, enter example.allow-rdp.
    This name must be unique for the project.
  3. For Network, choose example to specify the network where the firewall rule will be implemented.
  4. For Priority, leave the default value, 1000.
    The lower the number, the higher the priority.
  5. For Direction of traffic, choose ingress.
  6. For Action on match, choose allow.
  7. For Targets, choose Specified Target tags, and in the Target tags field, enter rdp for the tags to which the rule should apply.
  8. Choose IP ranges for the Source filter, and then type the following CIDR block into the Source IP ranges field to define the source for incoming traffic: 35.235.240.0/20.
  9. For Protocols and port, choose Specified protocols and ports, select tcp, and then enter the port, 3389.
  10. Click Create.

Create the Cloud DNS private forwarding zone:

  1. In the Cloud Console, go to the Cloud DNS page:
  2. Click Create zone.
  3. For Zone type, choose private.
  4. For Zone name, enter example-org.
  5. For DNS name, enter example.org.
  6. Select Forward queries to another server to configure forwarding destinations.
  7. For Destination DNS servers, enter the following addresses: 10.0.0.2, 10.1.0.2.
  8. Under Network, choose an example to specify the network where the forwarding zone will be applied.
  9. Click Create.

Launching the Domain Controller Instances:

Launch the initial domain controller instance in us-central1:

  1. In the Cloud Console, go to the VM instances page:
  2. Click Create instance and specify dc-1 as the name for your instance.
  3. For Region, select us-central1.
  4. Take note of the Zone value. You need it later.
  5. For Machine type, select 2 vCPUs for the n1-standard-2 machine type.
  6. Under Boot disk, click Changeto select your boot disk image, and then do the following:
    1. In the Boot disk dialog, select Windows Server 2019 Datacenter under OS images.
    2. For Boot disk type, select Standard persistent disk.
    3. For Size (GB), specify 50.
    4. Click Select to finalize your boot disk choices.
  7. Expand the Management, security, disks, networking, sole tenancymenu.
  8. Click Networking, and then do the following:
    1. For Network tags, enter the following tags to apply relevant firewall rules to your instance: dc, dns, rdp.
    2. For Networking interfaces, click the edit icon to edit the default interface.
    3. For Network, select the example VPC network.
    4. For Primary Internal IP, select Reserve Static IP address.
    5. In the Reserve a static internal IP address dialog, enter dc-1 For Name.
    6. For Static IP address, select Let me choose.
    7. For Custom IP address, enter 10.0.0.2.
    8. Click Reserve.
    9. For External IP, select None to prevent assignment of an external IP address.
    10. Click Done.
  9. Click Create.

Launch the second domain controller instance in us-east4:

  1. In the VM instances page, click Create instance and specify dc-2 as the name for your instance.
  2. For Region, select us-east4.
  3. Take note of the Zone selected here. You need it later.
  4. For Machine type, select 2 vCPUs for the n1-standard-2 machine type.
  5. Under Boot disk, click Changeto select your boot disk image.
    1. In the Boot disk dialog, under OS images, select Windows Server 2019 Datacenter.
    2. For Boot disk type, select Standard persistent disk.
    3. For Size (GB), specify 50.
    4. Click Select to finalize your boot disk choices.
  6. Expand the Management, security, disks, networking, sole tenancymenu.
  7. Click Networking.
    1. For Network tags, enter the following tags to apply relevant firewall rules to your instance: dc, dns, rdp.
    2. For Networking interfaces, click the edit icon to edit the default interface.
    3. For Network, select the example VPC network.
    4. For Primary Internal IP, select Reserve Static IP address.
    5. In the Reserve a static internal IP address dialog, enter dc-2 For Name.
    6. For Static IP address, select Let me choose.
    7. For Custom IP address, enter 10.1.0.2.
    8. Click Reserve.
    9. For External IP, select None to prevent assignment of an external IP address.
    10. Click Done.
  8. Click Create.

Connecting to an instance using IAP for TCP Forwarding

Establish the RDP connection to dc-1:

  1. Using your Remote Desktop client of choice, connect to dc-1 by specifying localhost or 127.0.0.1 for the remote address and 53389 as the remote port.
  2. When you're prompted, enter the Username and password you created in the previous procedure.
  3. When you later disconnect from the instance, you must press Control+C to cancel the gcloud beta compute start-iap-tunnel command and close the tunnel.

Promoting the Initial Domain Controller:

After connecting to dc-1, you can work in your RDP windows to enable the local administrator account, install Active Directory Domain Services, and configure the instance as a domain controller in a new Active Directory Forest.

Enable the local administrator user

  1. In dc-1, open Server Manager, and then select the menu item Tools > Computer Management.
  2. In the left-hand navigation pane, under Computer Management (Local) > System Tools, expand Local Users and Groups, and then select the Users folder.
  3. Right-click Administrator, and then select Set Password.
  4. In the Set Password for Administrator dialog, click Proceed.
  5. Enter and confirm a strong password, and then click OK twice.
  6. Right-click Administrator, and then select Properties.
  7. On the General tab, clear Account is disabled.
  8. Click OK.
  9. Close Computer Management.

Install Active Directory Domain Services:

  1. In dc-1, open Server Manager, and select the menu item Manage > Add Roles and Features.
  2. In the Before You Begin page, click Next.
  3. In the Installation Type page, click Next.
  4. In the Server Selection page, click Next.
  5. In the Server Roles page, under Roles, select Active Directory Domain Services.
  6. In the Add Roles and Features Wizard popup, click Add Features.
  7. click Next.
  8. In the Features page, click Next.
  9. In the AD DS page, click Next.
  10. In the Confirmation page, click Install.
  11. After installation completes, click Close.

Configure dc-1 as a domain controller:

  1. Click the Notifications flag icon at the top of the Server Manager window.
  2. In the Post-deployment Configuration notification, click Promote this server to a domain controller.
  3. In the Active Directory Domain Services Configuration Wizard, under Select the deployment operation, choose Add a new forest.
  4. For Root domain name, enter example.org.
  5. click Next.
  6. In the Domain Controller Options page, enter and confirm a strong password for the Directory Services Restore Mode (DSRM) password.
  7. click Next.
  8. In the DNS Options page, click Next.
  9. In the Additional Options page, click Next.
  10. In the Paths page, click Next.
  11. In the Review Options page, click Next.
  12. In the Prerequisites Check page, after the checks are completed, click Install.

Because the instance automatically restarts after installation, you are disconnected from your RDP session.

Configuring Active Directory sites and replication:

In this section, you reconnect to dc-1 to configure Active Directory sites and replication, this time using domain administrator credentials.

Configure Active Directory sites:

  1. Connect to dc-1 as before by using the local forwarding port, but this time use domain administrator credentials:
    1. For Username, enter example\administrator.
    2. For Password, enter the password you previously assigned to the local administrator account on dc-1.
  2. In Server Manager, select the menu item Tools > Active Directory Sites and Services.
  3. In the left-hand navigation pane, under Active Directory Sites and Services, right-click Sites, and then select New Site.
  4. For Name, enter GCP-us-central1.
  5. Under Select a site link object for this site, select DEFAULTIPSITELINK.
  6. Click OK twice.
  7. Repeat steps 3-6 to create a similar site named GCP-us-east4.

Configure site links for Active Directory replication:

  1. In the left-hand navigation pane, under Active Directory Sites and Services > Sites, expand nter-Site Transports.
  2. Right-click IP, and then choose New Site Link.
  3. For Name, specify GCP-us-central1-us-east4.
  4. Under Sites not in this site link, highlight both GCP-us-central1 and GCP-us-east4.
  5. Click Add to move the sites into Sites in this site link.
  6. Click OK.
  7. In the left-hand navigation pane, under Active Directory Sites and Services > Sites > Inter-Site Transports, select IP.
  8. Right-click the new site link GCP-us-central1-us-east4, and then choose Properties.
  9. For Cost, enter 250.
  10. For Replicate Every, enter 15 minutes.
  11. Click OK.

Configure subnets for Active Directory sites

  1. In the left-hand navigation pane, under Active Directory Sites and Services > Sites, right-click Subnets, and then select New subnet.
  2. For Prefix, enter 10.0.0.0/16.
  3. Under Site Name, select GCP-us-central1.
  4. Click OK.
  5. Repeat steps 1-4 to create a similar subnet for 10.1.0.0/16 and site GCP-us-east4.

Add dc-1 to the appropriate site (GCP-us-central1)

  1. In the left-hand navigation pane, under Active Directory Sites and Services > Sites, expand Default-First-Site-Name > Servers, and expand GCP-us-central1.
  2. Drag dc-1 from Default-First-Site-Name > Servers to GCP-us-central1 > Servers.
  3. In the Active Directory Domain Services confirmation dialog, click Yes.

Promoting Additional Domain Controllers:

Configure dc-2 as a domain controller:

  1. Click the Notifications flag icon at the top of the Server Manager window.
  2. In the Post-deployment Configuration notification, click Promote this server to a domain controller.
  3. In the Active Directory Domain Services Configuration Wizard, under Select the deployment operation, choose Add a domain controller to an existing domain.
  4. For Domain, enter example.org.
  5. Under Supply the credentials to perform this operation, click Change.
  6. In the Windows Security dialog, specify your domain administrator credentials:
    1. For Username, enter example\administrator.
    2. For Password, enter the password you previously assigned to the local administrator account on dc-1.
  7. Click OK to close the dialog.
  8. click Next.
  9. In the Domain Controller Options page, under Site name, verify that GCP-us-east4 is selected.
  10. Enter and confirm a strong password for the Directory Services Restore Mode (DSRM) password.
  11. You can use the same DSRM password that you specified for dc-1. In any case, remember this password. It can be useful if you need to repair or recover your domain.
  12. click Next.
  13. In the DNS Options page, click Next.
  14. You might see the warning, A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found. You can disregard this warning because the forwarding zone in the preceding Cloud DNS configuration serves the same purpose as the delegation mentioned in the warning.
  15. In the Additional Options page, click Next.
  16. In the Paths page, click Next.
  17. In the Review Options page, click Next.
  18. In the Prerequisites Check page, after the checks are completed, click Install.

Testing the Active Directory Configuration:

Test the domain controller configuration by launching a new test instance into the environment and joining it to the domain.

Launch the test instance us-central1

  1. In the Cloud Console, go to the VM instances page:
  2. Click Create instance and specify test-1 as the name for your instance.
  3. For Region, select us-central1.
  4. Take note of the Zone value. You need it later.
  5. For Machine type, select 2 vCPUs for the n1-standard-2 machine type.
  6. Under Boot disk, click Changeto select your boot disk image, and then do the following:
    1. In the Boot disk dialog, under OS images, select Windows Server 2019 Datacenter.
    2. Under Boot disk type, select Standard persistent disk.
    3. For Size (GB), specify 50.
    4. Click Select to finalize your boot disk choices.
  7. Expand the Management, security, disks, networking, sole tenancymenu.
  8. Click the Networking section header, and then do the following:
    1. Enter the following Network tags to apply relevant firewall rules to your instance, rdp
    2. Under Networking interfaces, click the edit icon to edit the default interface.
    3. Under Network, select the example VPC network.
    4. For External IP, select None to prevent assignment of an external IP address.
    5. Click Done.
  9. Click Create.

Connect to the Test Instance:

In this section, you get credentials for a local user on test-1 and then connect to the test instance server.

Connect to the test instance server test-1

  1. At your local command prompt, start a tunnel using IAP and the gcloud CLI:
  2. gcloud beta compute start-iap-tunnel test-1 3389 \
    --zone=zone \
    --project=project-id

    As the gcloud CLI initializes the tunnel for TCP forwarding, you see output similar to the following:

    Testing if tunnel connection works.
    Listening on port [17148].

  3. Use your preferred Remote Desktop client to connect to localhost (127.0.0.1) on the port specified in the output of the previous command. It might be different than the example port 17148.
  4. When prompted for credentials, enter the username and password for the local user from the previous procedure.

Join the Test Instance to the Domain:

  1. In the Remote Desktop window, join the instance to the example.org domain. Click Local Server in the left-hand navigation pane of the Server Manager window.
  2. Under Properties For test-1, click the WORKGROUP link.
  3. On the Computer Name tab of the System Properties dialog, click Change.
  4. In the Member of section, select Domain, and then enter example.org.
  5. Click OK.
  6. When prompted for credentials, specify example\administrator along with the previously chosen domain administrator password, and Click OK.
  7. Click OK, OK, Close, and finally Restart Now, and you are done.
Contact

Get in touch with us

chat
Hello! 👋 How can we help you today?