Deploying a fault-tolerant Microsoft Active Directory environment

This tutorial is the first part of a series that helps you deploy a highly available Windows architecture on Google Cloud with Microsoft Active Directory, SQL Server, and Internet Information Services (IIS). In this tutorial, you set up a redundant pair of Windows domain controllers with Active Directory using a new Virtual Private Cloud (VPC) network and multiple subnets.

The series consists of these tutorials:

Deploying a fault-tolerant Microsoft Active Directory environment (this document)
Deploying a multi-subnet SQL Server
Deploying load-balanced IIS web servers

Each tutorial builds on the infrastructure that you create in the preceding one.

You can also use this tutorial to learn to set up an Active Directory configuration for use in other architectures. This guide does not cover replicating a remote Active Directory environment to the new Google Cloud- based Active Directory environment, although this is possible with Cloud VPN and additional Active Directory configuration.

Architecture

Fault-tolerant Active Directory architecture on Google Cloud.

Objectives

Create a custom mode VPC network with two subnets spanning two zones.
Create Windows Server virtual instances and enable Active Directory Domain Services.
Configure a new domain with Active Directory.
Join the new Windows Server instances to the new domain.
Configure firewall rules to allow traffic to the virtual machines.
Test the configuration.

Costs

This tutorial uses billable components of Google Cloud, including:

The Pricing Calculator estimates the cost of this environment at around $4 per day.

Before you begin

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
Enable the Compute Engine API.
Enable the API

Initializing common variables

You must define several environment variables that control where elements of the infrastructure are deployed.

Go to Cloud Shell.

Open Cloud Shell
In Cloud Shell, create the following environment variables to set values that you need later in the tutorial.

The commands set the region to us-east-1. You can use a different region, but remember the region that you use so you can use the same region in the subsequent tutorials.
```
export region=us-east1
export zone_1=${region}-b
export zone_2=${region}-c
export vpc_name=webappnet
export project_id=your-project-id
```
Replace your-project-id with the ID of the Google Cloud project that you're using.
Run the following commands to set the default region and project ID so you don't have to specify these values in every subsequent command:
```
gcloud config set compute/region ${region}
gcloud config set project ${project_id}
```

Creating the network infrastructure

After you've defined the infrastructure variables, it's time to create the network and subnets that Active Directory will use.

In Cloud Shell, run the following command to create the VPC network:

gcloud compute networks create ${vpc_name}  \
    --description "VPC network to deploy Active Directory" \
    --subnet-mode custom

You see the following warning, which you can ignore, because you create these firewall rules in later steps.

Instances on this network will not be reachable until firewall rules
are created.

Add two subnets to the VPC network:

gcloud compute networks subnets create private-ad-zone-1 \
    --network ${vpc_name} \
    --range 10.1.0.0/24

gcloud compute networks subnets create private-ad-zone-2 \
    --network ${vpc_name} \
    --range 10.2.0.0/24

Create an internal firewall rule to allow traffic between subnets:
```
gcloud compute firewall-rules create allow-internal-ports-private-ad \
    --network ${vpc_name} \
    --allow tcp:1-65535,udp:1-65535,icmp \
    --source-ranges  10.1.0.0/24,10.2.0.0/24
```
Note: In a production environment, it's a best practice to secure all the ports that your systems are not actively using. It's also a best practice to secure access to your machines using a bastion host.

Create a firewall rule to allow an RDP connection on port 3389 from any location:

gcloud compute firewall-rules create allow-rdp \
    --network ${vpc_name} \
    --allow tcp:3389 \
    --source-ranges 0.0.0.0/0

Creating the first domain controller

Next you create a domain controller that has the following properties:

Name: ad-dc1
IP Address: 10.1.0.100

Create a Compute Engine instance of Windows Server 2016 to use as the first domain controller:

gcloud compute instances create ad-dc1 --machine-type n1-standard-2 \
    --boot-disk-type pd-ssd \
    --boot-disk-size 50GB \
    --image-family windows-2016 --image-project windows-cloud \
    --network ${vpc_name} \
    --zone ${zone_1} --subnet private-ad-zone-1 \
    --private-network-ip=10.1.0.100

Wait approximately one minute, and then create a password for the Windows instance ad-dc1:
```
gcloud compute reset-windows-password ad-dc1 --zone ${zone_1} --quiet
```
The username is your Google account username. Note the username and password for future use.

Note: If the instance is not ready to accept the request, you see the following error message. If so, retry the command in a few minutes.

ERROR: (gcloud.compute.reset-windows-password) The instance may not be ready for use. This can occur if the instance was recently created or if the instance is not running Windows. Please wait a few minutes and try again.
Use RDP to connect to the domain controller instance with the credentials you created in the previous step.
Open a PowerShell terminal as Administrator. (Click Start, type PowerShell, and then press Shift+Ctrl+Enter.)
Set the Windows credentials for the Administrator account:
```
net user Administrator *
```
Note: To paste commands into a PowerShell terminal, press Alt+Space+P.

You're prompted to create a password. Use a strong password, and store the password in safe location for future use.

The Administrator account will become a domain admin account after you've created the Active Directory forest with it.
Enable the account:
```
net user Administrator /active:yes
```

Install Active Directory Domain Services, including Management Tools:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Set the following variables:

$DomainName = "example-gcp.com"
$DomainMode = "7"
$ForestMode = "7"
$DatabasePath = "C:\Windows\NTDS"
$SysvolPath = "C:\Windows\SYSVOL"
$LogPath = "C:\Logs"

Install the new Active Directory forest configuration in Windows Server 2016 mode:

Install-ADDSForest -CreateDnsDelegation:$false `
    -DatabasePath $DatabasePath `
    -LogPath $LogPath `
    -SysvolPath $SysvolPath `
    -DomainName $DomainName `
    -DomainMode $DomainMode `
    -ForestMode $ForestMode `
    -InstallDNS:$true `
    -NoRebootOnCompletion:$true `
    -Force:$true

When you're prompted, enter a Safe Mode Administrator password. Store the password in a safe location for future use.

Dismiss the following warnings. Each warning will appear two times, once during prerequisites verification and a second time during the installation process.

WARNING: Windows Server 2016 domain controllers have a default for the
security setting named Allow cryptography algorithms compatible with
Windows NT 4.0 that prevents weaker cryptography algorithms when
establishing security channel sessions.

For more information about this setting, see Knowledge Base article 942564
(http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: This computer has at least one physical network adapter that does
not have static IP address(es) assigned to its IP Properties. If both IPv4
and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP
addresses should be assigned to both IPv4 and IPv6 Properties of the
physical network adapter. Such static IP address(es) assignment should be
done to all the physical network adapters for reliable Domain Name
System (DNS) operation.

WARNING: A delegation for this DNS server cannot be created because the
authoritative parent zone cannot be found or it does not run Windows DNS
server. If you are integrating with an existing DNS infrastructure, you
should manually create a delegation to this DNS server in the parent zone
to ensure reliable name resolution from outside the domain "example-gcp.com".
Otherwise, no action is required.

Restart the virtual machine:
```
Restart-Computer
```
Use RDP to connect to domain controller ad-dc1 with the Administrator credentials you defined during the Active Directory forest installation. Remember to add the domain name as a prefix, as in EXAMPLE-GCP\Administrator.

Note: If you are using the Chrome RDP client, you might see the following warning about the certificate. Follow the instructions to connect.

WARNING Someone could be trying to intercept your communication. To connect anyway select Chrome RDP Options, select the Certificates tab, select the <Your IP address>:3389 certificate listing and press the Delete Certificate button.
Open a PowerShell terminal as Administrator.

Set the following variables:

$DNSPrimary = "10.2.0.100"
$DNSSecondary = "127.0.0.1"
$LocalStaticIp = "10.1.0.100"
$DefaultGateway = "10.1.0.1"

Set the IP address and default gateway:
```
netsh interface ip set address name=Ethernet static `
    $LocalStaticIp 255.255.255.0 $DefaultGateway 1
```
Note: RDP might lose connectivity for a few seconds or require you to reconnect.
Configure the primary DNS server:
```
netsh interface ip set dns Ethernet static $DNSPrimary
```
DNS server ad-dc2 will be available only after the second domain controller is deployed, so you can ignore the following error message:
```
The configured DNS server is incorrect or does not exist.
```
Note: You configure the DNS servers after the Active Directory forest installation. Installing the forest overwrites the post-installation values with the IP addresses of the domain controllers ac-dc1 and ad-dc2. You set up the ac-dc2 domain controller later in this tutorial.
Configure the secondary DNS server:
```
netsh interface ip add dns Ethernet $DNSSecondary index=2
```
The DNS server entry for this domain controller, ad-dc1, should be second in the list in order to prevent Active Directory from frequently losing connection with the other controller. Use the second domain controller, ad-dc2, as the primary DNS server. You create the ad-dc2 domain controller in the next section. If you don't follow this pattern, the following errors appear under Server Manager > Active Directory Domain Services:
```
The DFS Replication service failed to update configuration in Active
Directory Domain Services. The service will retry this operation
periodically.
```
You might see errors on the ad-dc1 server before both servers are fully configured. You can ignore these errors.

Creating the second domain controller

Next you create a second domain controller in a different zone to provide fault tolerance. The second domain controller has the following properties:

Name: ad-dc2
IP Address: 10.2.0.100

If your Cloud Shell window has expired, open a new Cloud Shell instance and reset the variables you set earlier. To do that, edit the following script to specify the project ID and region that you used earlier.
```
region=us-east1
zone_2=${region}-c
zone_1=${region}-b
vpc_name=webappnet
project_id=your-project-id

gcloud config set compute/region ${region}
gcloud config set project ${project_id}
```
Replace your-project-id with the ID of the Cloud project that you're using.
Copy the script into your Cloud Shell window and run it.

Use Cloud Shell to create the second domain controller instance:

gcloud compute instances create ad-dc2 --machine-type n1-standard-2 \
    --boot-disk-size 50GB \
    --boot-disk-type pd-ssd \
    --image-family windows-2016 --image-project windows-cloud \
    --can-ip-forward \
    --network ${vpc_name} \
    --zone ${zone_2} \
    --subnet private-ad-zone-2 \
    --private-network-ip=10.2.0.100

Wait approximately one minute, and then create a password for the Windows instance ad-dc2:
```
gcloud compute reset-windows-password ad-dc2 --zone ${zone_2} --quiet
```
The username is your Google account username. Note the username and password for future use.
Use RDP to connect to the domain controller instance with the credentials you created in the previous step.
Open a PowerShell terminal as Administrator.

Install Active Directory Domain Services, including Management Tools:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Set the following variables:

$DomainName = "example-gcp.com"
$DomainPrefix = "EXAMPLE-GCP"
$DNSPrimary = "10.1.0.100"
$DNSSecondary = "127.0.0.1"
$LocalStaticIp = "10.2.0.100"
$DefaultGateway = "10.2.0.1"
$DatabasePath = "C:\Windows\NTDS"
$SysvolPath = "C:\Windows\SYSVOL"
$LogPath = "C:\Logs"

Configure the primary DNS server:

netsh interface ip set dns Ethernet static $DNSPrimary

Configure the second server so that it acts as its own secondary DNS server:
```
netsh interface ip add dns Ethernet $DNSSecondary index=2
```
The ad-dc2 DNS server will be available only after ad-dc2 is joined to the domain as a domain controller. Because the server hasn't been joined yet, you see the following message, but you can ignore it:
```
The configured DNS server is incorrect or does not exist.
```
Set the IP address and default gateway:
```
netsh interface ip set address name=Ethernet static `
    $LocalStaticIp 255.255.255.0 $DefaultGateway 1
```
Note: RDP might lose connectivity for a few seconds or require you to reconnect.

Run the following PowerShell script, which will let you know when the first domain controller becomes operational. Wait until you see the Domain controller is reachable message.

$DomainIsReady=$False
For ($i=0; $i -le 30; $i++) {
    nltest /dsgetdc:$DomainName
    if($LASTEXITCODE -ne 0) {
        Write-Host "Domain not ready, wait 1 more minute, then retry"
        Start-Sleep -s 60
    }
    else {
        $DomainIsReady=$True
        Write-Host "Domain controller is reachable"
        break
    }
}
if($DomainIsReady -eq $False) {
    Write-Host "Domain not ready. Check if it was deployed ok"
}

Add the virtual machine to the forest as a second domain controller:

Install-ADDSDomainController `
    -Credential (Get-Credential "$DomainPrefix\Administrator") `
    -CreateDnsDelegation:$false `
    -DatabasePath $DatabasePath `
    -DomainName $DomainName `
    -InstallDns:$true `
    -LogPath $LogPath `
    -SysvolPath $SysvolPath `
    -NoGlobalCatalog:$false `
    -SiteName 'Default-First-Site-Name' `
    -NoRebootOnCompletion:$true `
    -Force:$true

When you're prompted to provide a password for the Administrator account, use the Administrator credentials you defined during Active Directory forest installation. Add the domain name as a prefix, as in EXAMPLE-GCP\Administrator.
When you're prompted to enter a Safe Mode Administrator password, use the same password you used for the first domain controller.

Ignore the following warnings. Each warning appears twice: once during prerequisites verification, and a second time during the installation process.

WARNING: Windows Server 2016 domain controllers have a default for the
security setting named "Allow cryptography algorithms compatible with
Windows NT 4.0" that prevents weaker cryptography algorithms when
establishing security channel sessions.

For more information about this setting, see Knowledge Base article
942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

WARNING: A delegation for this DNS server cannot be created because the
authoritative parent zone cannot be found or it does not run Windows DNS
server. If you are integrating with an existing DNS infrastructure, you
should manually create a delegation to this DNS server in the parent zone
to ensure reliable name resolution from outside the domain
"example-gcp.com". Otherwise, no action is required.

Restart the virtual machine:
```
Restart-Computer
```

Testing the installation

Wait 5 to 10 minutes to make sure that both domain controllers are operational and are replicating information.
Using RDP, connect to the first domain controller instance using the Administrator credentials you defined during the first domain controller installation. Add the domain name as a prefix, as in EXAMPLE-GCP\Administrator.
Open a PowerShell terminal as Administrator.
Test that replication is working:
```
repadmin /replsum
```
Note: For more information, read about replication and topology management in Active Directory.

The output should resemble the following, with no errors or failures.

If the domain controller is not available, you see a message like the following:
```
Beginning data collection for replication summary, this may take awhile:

  ....
Source DSA          largest delta    fails/total %%   error

Destination DSA     largest delta    fails/total %%   error
```
If you see this message, wait a couple of minutes and then retry the command.

Clean up

If you want to continue to the next tutorial in this series (Deploying a multi-subnet SQL Server), keep the resources that you created in this tutorial. However, if you don't intend to use the Active Directory environment that you created in this tutorial, go ahead and clean up the resources you created on Google Cloud so you won't be billed for them. The following sections describe how to delete or turn off these resources.

Deleting the project

The easiest way to eliminate billing is to delete the project that you created for the tutorial.

To delete the project:

In the console, go to the Manage resources page.
Go to Manage resources
In the project list, select the project that you want to delete, and then click Delete.
In the dialog, type the project ID, and then click Shut down to delete the project.

Deleting instances

To delete a Compute Engine instance:

In the console, go to the VM instances page.
Go to VM instances
Select the checkbox for the instance that you want to delete.
To delete the instance, click More actions, click Delete, and then follow the instructions.

Deleting VPC networks

To delete the VPC network, subnets, and firewall rules:

In the console, go to the VPC networks page.

Go to VPC networks page
Select the VPC network you created.
Click the Delete button at the top of the page.

What's next

Continue to the next tutorials in this series:
- Deploying a multi-subnet SQL Server
- Deploying load-balanced IIS web servers
Learn more about patterns for using Active Directory in a hybrid environment.
Review best practices for managing identity and access.
Explore reference architectures, diagrams, tutorials, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.