Managed Active Directory is a highly available Microsoft Active Directory domain as a service, hosted on Google Cloud.

In this tutorial you will setup a new managed Active Directory, create a new Windows VM and join it into the new domain. You will see how to setup networking, security and manage your domain using the same management tools you are familiar with.

What you'll learn

What you'll need:

How will you use this tutorial?

Read it through only Read it and complete the exercises

How would rate your experience with Google Cloud Platform?

Novice Intermediate Proficient

Codelab-at-a-conference setup

By using a kiosk at Google I/O, a test project has been created and can be accessed by using going to:

These temporary accounts have existing projects that are set up with billing so that there are no costs associated for you with running this codelab.

Note that all these accounts will be disabled soon after the codelab is over.

Use these credentials to log into the machine or to open a new Google Cloud Console window Accept the new account Terms of Service and any updates to Terms of Service.

When presented with this console landing page, please select the only project available. Alternatively, from the console home page, click on "Select a Project" :

Start Cloud Shell

While Google Cloud can be operated remotely from your laptop, in this codelab you use Google Cloud Shell, a command line environment running in Google Cloud.

Activate Google Cloud Shell

From the GCP Console click the Cloud Shell icon on the top right toolbar:

Then click "Start Cloud Shell":

It should only take a few moments to provision and connect to the environment:

This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on the Google Cloud, greatly enhancing network performance and authentication. Much, if not all, of your work in this lab can be done with simply a browser or your Google Chromebook.

Once connected to Cloud Shell, you should see that you are already authenticated and that the project is already set to your PROJECT_ID.

Run the following command in Cloud Shell to confirm that you are authenticated:

gcloud auth list

Command output

Credentialed accounts:
 - <myaccount>@<mydomain>.com (active)
gcloud config list project

Command output

project = <PROJECT_ID>

If it is not, you can set it with this command:

gcloud config set project <PROJECT_ID>

Command output

Updated property [core/project].

Initialized GCP Project will be used to host the VPC Network between all your domain-joined Windows VMs and Managed Active Directory.

We will set a few variables for easier scripting later on.

Currently the following regions are supported:

  1. "us-west1"
  2. "us-west2"
  3. "us-central1"
  4. "us-east1"
  5. "us-east4"
  6. "europe-north1"
  7. "europe-west1"
  8. "europe-west4"
  9. "asia-east1"
  10. "asia-southeast1"

Set variables

If running on Linux, type:

$ VPC="adtutorialvpc"
$ FIREWALL_VPC_RULE="adtutorialvpcrule"
$ REGION="us-west1"
$ ZONE="us-west1-a"
$ DOMAIN_NAME="ad.tutorial"
$ VM_NAME="tutorial1"

If running on Windows, type in Powershell terminal:

PS> $VPC=adtutorialvpc
PS> $FIREWALL_VPC_RULE=adtutorialvpcrule
PS> $REGION=us-west1
PS> $ZONE=us-west1-a
PS> $DOMAIN_NAME=ad.tutorial
PS> $VM_NAME=tutorial1

Set current project id, so all subsequent operations will happen in the context of right cloud project:

$ gcloud config set project $PROJECT_ID

Enable Cloud APIs

In order to enable Managed Active Directory, we need to enable two APIs: DNS and Managed Identities.

Enable DNS API:

$ gcloud services enable

Enable Managed Identities API:

$ gcloud services enable

In order to establish connectivity between the managed active directory domain controller and Windows VMs, we need to create a virtual private cloud network.

Create VPC network

$ gcloud compute networks create $VPC --subnet-mode=auto --bgp-routing-mode=global

Create a firewall rule to allow connectivity between Windows VMs and domain controllers

$ gcloud compute firewall-rules create $FIREWALL_VPC_RULE --network $VPC --allow tcp,udp,icmp --source-ranges=

We setup the VPC that connects managed AD with resources in our project (VMs). Now it's time to setup a managed domain controller.

Create a Managed Active Directory

(This operation is expected to take about an hour)

$ gcloud active-directory domains create $DOMAIN_NAME --reserved-ip-range= --region=$REGION --authorized-networks=projects/$PROJECT_ID/global/networks/$VPC

While the deployment is happening or at any time, you can verify domain's provisioning status.

There are 3 supported states:


AD Domain creation has been initiated, in progress.


AD Domain creation completed, domain ready for use.


AD Domain still available, but is undergoing updates, (upgrading Domain Controllers, adding regions etc.)

Verify deployment status:

$ gcloud active-directory domains describe $DOMAIN_NAME

You should expect this command to report READY state when domain creation is completed.

Create a new Windows VM on Google Compute Engine

$ gcloud beta compute instances create $VM_NAME --zone=$ZONE --machine-type=n1-standard-2 --subnet=$VPC --network-tier=PREMIUM --scopes= --image=windows-server-2016-dc-v20181009 --image-project=windows-cloud --boot-disk-size=50GB --boot-disk-type=pd-standard

Create a firewall rule to allow remote desktop connectivity to your Windows VMs:

$ gcloud compute firewall-rules create allow-rdp --allow tcp:3389

Before connecting to the VM and adding it to the domain, we need to determine two users and their credentials:

Determine managed domain admin user name:

$ gcloud active-directory domains describe $DOMAIN_NAME

This operation will output the administrator username. By default it's called miadmin.

Reset managed domain admin's password:

$ gcloud active-directory domains reset-managed-identities-admin-password $DOMAIN_NAME

You have to confirm (Y/N) the operation as it will reveal the password in the clear text. In the terminal.

Save the user and password - we will use it later on.

Generate Windows local user and password

Windows local user and password are required to remotely connect to the VM that you created. You can generate them using gcloud.

$ gcloud compute reset-windows-password --user=usr1 $VM_NAME

This will create a local user called "usr1" and generate its password

Connect to the Windows instance using Chrome RDP

Open a new browser window at:

Open ChromeRDP by clicking on RDP:

Enter local user and password. This will connect you to the Windows VM you created.

On a VM, open elevated command prompt with Powershell:

In elevated Powershell, type:

$ add-computer –domainname your-domain -Credential your-domain\miadmin -restart –force

You will be asked to provide managed administrator password and then the VM will join your managed domain and restart. Wait 2 minutes before moving to the next step.

At this point your VM is domain-joined but you don't have permissions to connect to it using managed domain admin user. You need to add managed domain admin user as local administrator of that VM.

Connect to the VM again using local admin user (same instructions as above).

If so, follow warning instructions. This happened because we joined the VM to the domain.

Try to reconnect again using local admin user and open elevated Powershell Command Prompt.

Add Managed Domain Admin user to be a local admin on a VM

$ net localgroup administrators /add your-domain-name\miadmin

Now you can disconnect from the VM.

Once a VM is domain-joined, you can use familiar Active Directory tools for managing users, groups, computers and group policy.

Connect to the VM (same method as described above) using credentials of the managed domain admin. Open elevated Powershell Command Prompt:

$ Install-WindowsFeature -Name "RSAT-AD-Tools" -IncludeAllSubFeature -IncludeManagementTools -Confirm

It will ask for confirmation and then install Active Directory Management Tools.

After the installation is complete, you can use dsa.msc (Active Directory Users and Computers) and other familiar Active Directory tools to manage the domain under "Customer OU"

Congratulations, you've successfully created a new Managed Active Directory on Google Cloud Platform.

Next Steps


You can delete Windows VMs and VPC network.

Delete Windows VMs

Delete VPC networks