Managed Active Directory is a highly available Microsoft Active Directory domain as a service, hosted on Google Cloud.
In this tutorial you will setup a new managed Active Directory, create a new Windows VM and join it into the new domain. You will see how to setup networking, security and manage your domain using the same management tools you are familiar with.
By using a kiosk at Google I/O, a test project has been created and can be accessed by using going to: https://console.cloud.google.com/.
These temporary accounts have existing projects that are set up with billing so that there are no costs associated for you with running this codelab.
Note that all these accounts will be disabled soon after the codelab is over.
Use these credentials to log into the machine or to open a new Google Cloud Console window https://console.cloud.google.com/. Accept the new account Terms of Service and any updates to Terms of Service.
When presented with this console landing page, please select the only project available. Alternatively, from the console home page, click on "Select a Project" :
While Google Cloud can be operated remotely from your laptop, in this codelab you use Google Cloud Shell, a command line environment running in Google Cloud.
From the GCP Console click the Cloud Shell icon on the top right toolbar:
Then click "Start Cloud Shell":
It should only take a few moments to provision and connect to the environment:
This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on the Google Cloud, greatly enhancing network performance and authentication. Much, if not all, of your work in this lab can be done with simply a browser or your Google Chromebook.
Once connected to Cloud Shell, you should see that you are already authenticated and that the project is already set to your PROJECT_ID.
Run the following command in Cloud Shell to confirm that you are authenticated:
gcloud auth list
Credentialed accounts: - <myaccount>@<mydomain>.com (active)
gcloud config list project
[core] project = <PROJECT_ID>
If it is not, you can set it with this command:
gcloud config set project <PROJECT_ID>
Updated property [core/project].
Initialized GCP Project will be used to host the VPC Network between all your domain-joined Windows VMs and Managed Active Directory.
We will set a few variables for easier scripting later on.
Currently the following regions are supported:
If running on Linux, type:
$ PROJECT_ID="YOUR_PROJECT_ID" $ VPC="adtutorialvpc" $ FIREWALL_VPC_RULE="adtutorialvpcrule" $ REGION="us-west1" $ ZONE="us-west1-a" $ DOMAIN_NAME="ad.tutorial" $ VM_NAME="tutorial1"
If running on Windows, type in Powershell terminal:
PS> $PROJECT_ID=YOUR_PROJECT_ID PS> $VPC=adtutorialvpc PS> $FIREWALL_VPC_RULE=adtutorialvpcrule PS> $REGION=us-west1 PS> $ZONE=us-west1-a PS> $DOMAIN_NAME=ad.tutorial PS> $VM_NAME=tutorial1
Set current project id, so all subsequent operations will happen in the context of right cloud project:
$ gcloud config set project $PROJECT_ID
In order to enable Managed Active Directory, we need to enable two APIs: DNS and Managed Identities.
Enable DNS API:
$ gcloud services enable dns.googleapis.com
Enable Managed Identities API:
$ gcloud services enable managedidentities.googleapis.com
In order to establish connectivity between the managed active directory domain controller and Windows VMs, we need to create a virtual private cloud network.
Create VPC network
$ gcloud compute networks create $VPC --subnet-mode=auto --bgp-routing-mode=global
Create a firewall rule to allow connectivity between Windows VMs and domain controllers
$ gcloud compute firewall-rules create $FIREWALL_VPC_RULE --network $VPC --allow tcp,udp,icmp --source-ranges=0.0.0.0/0
We setup the VPC that connects managed AD with resources in our project (VMs). Now it's time to setup a managed domain controller.
Create a Managed Active Directory
(This operation is expected to take about an hour)
$ gcloud active-directory domains create $DOMAIN_NAME --reserved-ip-range=10.0.1.0/24 --region=$REGION --authorized-networks=projects/$PROJECT_ID/global/networks/$VPC
While the deployment is happening or at any time, you can verify domain's provisioning status.
There are 3 supported states:
AD Domain creation has been initiated, in progress.
AD Domain creation completed, domain ready for use.
AD Domain still available, but is undergoing updates, (upgrading Domain Controllers, adding regions etc.)
Verify deployment status:
$ gcloud active-directory domains describe $DOMAIN_NAME
You should expect this command to report READY state when domain creation is completed.
Create a new Windows VM on Google Compute Engine
$ gcloud beta compute instances create $VM_NAME --zone=$ZONE --machine-type=n1-standard-2 --subnet=$VPC --network-tier=PREMIUM --scopes=https://www.googleapis.com/auth/cloud-platform --image=windows-server-2016-dc-v20181009 --image-project=windows-cloud --boot-disk-size=50GB --boot-disk-type=pd-standard
Create a firewall rule to allow remote desktop connectivity to your Windows VMs:
$ gcloud compute firewall-rules create allow-rdp --allow tcp:3389
Before connecting to the VM and adding it to the domain, we need to determine two users and their credentials:
Determine managed domain admin user name:
$ gcloud active-directory domains describe $DOMAIN_NAME
This operation will output the administrator username. By default it's called miadmin.
Reset managed domain admin's password:
$ gcloud active-directory domains reset-managed-identities-admin-password $DOMAIN_NAME
You have to confirm (Y/N) the operation as it will reveal the password in the clear text. In the terminal.
Save the user and password - we will use it later on.
Generate Windows local user and password
Windows local user and password are required to remotely connect to the VM that you created. You can generate them using gcloud.
$ gcloud compute reset-windows-password --user=usr1 $VM_NAME
This will create a local user called "usr1" and generate its password
Connect to the Windows instance using Chrome RDP
Open a new browser window at: https://console.cloud.google.com/compute/instancesDetail/zones/your-zone/instances/your-vm-name?project=your-project-name
Open ChromeRDP by clicking on RDP:
Enter local user and password. This will connect you to the Windows VM you created.
On a VM, open elevated command prompt with Powershell:
In elevated Powershell, type:
$ add-computer –domainname your-domain -Credential your-domain\miadmin -restart –force
You will be asked to provide managed administrator password and then the VM will join your managed domain and restart. Wait 2 minutes before moving to the next step.
At this point your VM is domain-joined but you don't have permissions to connect to it using managed domain admin user. You need to add managed domain admin user as local administrator of that VM.
Connect to the VM again using local admin user (same instructions as above).
If so, follow warning instructions. This happened because we joined the VM to the domain.
Try to reconnect again using local admin user and open elevated Powershell Command Prompt.
Add Managed Domain Admin user to be a local admin on a VM
$ net localgroup administrators /add your-domain-name\miadmin
Now you can disconnect from the VM.
Once a VM is domain-joined, you can use familiar Active Directory tools for managing users, groups, computers and group policy.
Connect to the VM (same method as described above) using credentials of the managed domain admin. Open elevated Powershell Command Prompt:
$ Install-WindowsFeature -Name "RSAT-AD-Tools" -IncludeAllSubFeature -IncludeManagementTools -Confirm
It will ask for confirmation and then install Active Directory Management Tools.
After the installation is complete, you can use dsa.msc (Active Directory Users and Computers) and other familiar Active Directory tools to manage the domain under "Customer OU"
Congratulations, you've successfully created a new Managed Active Directory on Google Cloud Platform.
You can delete Windows VMs and VPC network.