This tutorial is the first part of a series that helps you deploy a highly available Windows architecture on Google Cloud with Microsoft Active Directory, SQL Server, and Internet Information Services (IIS). In this tutorial, you set up a redundant pair of Windows domain controllers with Active Directory using a new Virtual Private Cloud (VPC) network and multiple subnets.
The series consists of these tutorials:
- Deploying a fault-tolerant Microsoft Active Directory environment (this document)
- Deploying a multi-subnet SQL Server
- Deploying load-balanced IIS web servers
Each tutorial builds on the infrastructure that you create in the preceding one.
You can also use this tutorial to learn to set up an Active Directory configuration for use in other architectures. This guide does not cover replicating a remote Active Directory environment to the new Google Cloud- based Active Directory environment, although this is possible with Cloud VPN and additional Active Directory configuration.
Architecture
Objectives
- Create a custom mode VPC network with two subnets spanning two zones.
- Create Windows Server virtual instances and enable Active Directory Domain Services.
- Configure a new domain with Active Directory.
- Join the new Windows Server instances to the new domain.
- Configure firewall rules to allow traffic to the virtual machines.
- Test the configuration.
Costs
This tutorial uses billable components of Google Cloud, including:
The Pricing Calculator estimates the cost of this environment at around $4 per day.
Before you begin
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.
-
Enable the Compute Engine API.
Initializing common variables
You must define several environment variables that control where elements of the infrastructure are deployed.
Go to Cloud Shell.
In Cloud Shell, create the following environment variables to set values that you need later in the tutorial.
The commands set the region to
us-east-1
. You can use a different region, but remember the region that you use so you can use the same region in the subsequent tutorials.export region=us-east1 export zone_1=${region}-b export zone_2=${region}-c export vpc_name=webappnet export project_id=your-project-id
Replace your-project-id with the ID of the Google Cloud project that you're using.
Run the following commands to set the default region and project ID so you don't have to specify these values in every subsequent command:
gcloud config set compute/region ${region} gcloud config set project ${project_id}
Creating the network infrastructure
After you've defined the infrastructure variables, it's time to create the network and subnets that Active Directory will use.
In Cloud Shell, run the following command to create the VPC network:
gcloud compute networks create ${vpc_name} \ --description "VPC network to deploy Active Directory" \ --subnet-mode custom
You see the following warning, which you can ignore, because you create these firewall rules in later steps.
Instances on this network will not be reachable until firewall rules are created.
Add two subnets to the VPC network:
gcloud compute networks subnets create private-ad-zone-1 \ --network ${vpc_name} \ --range 10.1.0.0/24 gcloud compute networks subnets create private-ad-zone-2 \ --network ${vpc_name} \ --range 10.2.0.0/24
Create an internal firewall rule to allow traffic between subnets:
gcloud compute firewall-rules create allow-internal-ports-private-ad \ --network ${vpc_name} \ --allow tcp:1-65535,udp:1-65535,icmp \ --source-ranges 10.1.0.0/24,10.2.0.0/24
Create a firewall rule to allow an RDP connection on port
3389
from any location:gcloud compute firewall-rules create allow-rdp \ --network ${vpc_name} \ --allow tcp:3389 \ --source-ranges 0.0.0.0/0
Creating the first domain controller
Next you create a domain controller that has the following properties:
- Name:
ad-dc1
- IP Address:
10.1.0.100
Create a Compute Engine instance of Windows Server 2016 to use as the first domain controller:
gcloud compute instances create ad-dc1 --machine-type n1-standard-2 \ --boot-disk-type pd-ssd \ --boot-disk-size 50GB \ --image-family windows-2016 --image-project windows-cloud \ --network ${vpc_name} \ --zone ${zone_1} --subnet private-ad-zone-1 \ --private-network-ip=10.1.0.100
Wait approximately one minute, and then create a password for the Windows instance
ad-dc1
:gcloud compute reset-windows-password ad-dc1 --zone ${zone_1} --quiet
The username is your Google account username. Note the username and password for future use.
Use RDP to connect to the domain controller instance with the credentials you created in the previous step.
Open a PowerShell terminal as Administrator. (Click Start, type PowerShell, and then press Shift+Ctrl+Enter.)
Set the Windows credentials for the Administrator account:
net user Administrator *
You're prompted to create a password. Use a strong password, and store the password in safe location for future use.
The Administrator account will become a domain admin account after you've created the Active Directory forest with it.
Enable the account:
net user Administrator /active:yes
Install Active Directory Domain Services, including Management Tools:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Set the following variables:
$DomainName = "example-gcp.com" $DomainMode = "7" $ForestMode = "7" $DatabasePath = "C:\Windows\NTDS" $SysvolPath = "C:\Windows\SYSVOL" $LogPath = "C:\Logs"
Install the new Active Directory forest configuration in Windows Server 2016 mode:
Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath $DatabasePath ` -LogPath $LogPath ` -SysvolPath $SysvolPath ` -DomainName $DomainName ` -DomainMode $DomainMode ` -ForestMode $ForestMode ` -InstallDNS:$true ` -NoRebootOnCompletion:$true ` -Force:$true
When you're prompted, enter a Safe Mode Administrator password. Store the password in a safe location for future use.
Dismiss the following warnings. Each warning will appear two times, once during prerequisites verification and a second time during the installation process.
WARNING: Windows Server 2016 domain controllers have a default for the security setting named Allow cryptography algorithms compatible with Windows NT 4.0 that prevents weaker cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).WARNING: This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.
WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "example-gcp.com". Otherwise, no action is required.
Restart the virtual machine:
Restart-Computer
Use RDP to connect to domain controller
ad-dc1
with the Administrator credentials you defined during the Active Directory forest installation. Remember to add the domain name as a prefix, as inEXAMPLE-GCP\Administrator
.Open a PowerShell terminal as Administrator.
Set the following variables:
$DNSPrimary = "10.2.0.100" $DNSSecondary = "127.0.0.1" $LocalStaticIp = "10.1.0.100" $DefaultGateway = "10.1.0.1"
Set the IP address and default gateway:
netsh interface ip set address name=Ethernet static ` $LocalStaticIp 255.255.255.0 $DefaultGateway 1
Configure the primary DNS server:
netsh interface ip set dns Ethernet static $DNSPrimary
DNS server
ad-dc2
will be available only after the second domain controller is deployed, so you can ignore the following error message:The configured DNS server is incorrect or does not exist.
Configure the secondary DNS server:
netsh interface ip add dns Ethernet $DNSSecondary index=2
The DNS server entry for this domain controller,
ad-dc1
, should be second in the list in order to prevent Active Directory from frequently losing connection with the other controller. Use the second domain controller,ad-dc2
, as the primary DNS server. You create thead-dc2
domain controller in the next section. If you don't follow this pattern, the following errors appear under Server Manager > Active Directory Domain Services:The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
You might see errors on the
ad-dc1
server before both servers are fully configured. You can ignore these errors.
Creating the second domain controller
Next you create a second domain controller in a different zone to provide fault tolerance. The second domain controller has the following properties:
- Name:
ad-dc2
- IP Address:
10.2.0.100
If your Cloud Shell window has expired, open a new Cloud Shell instance and reset the variables you set earlier. To do that, edit the following script to specify the project ID and region that you used earlier.
region=us-east1 zone_2=${region}-c zone_1=${region}-b vpc_name=webappnet project_id=your-project-id gcloud config set compute/region ${region} gcloud config set project ${project_id}
Replace your-project-id with the ID of the Cloud project that you're using.
Copy the script into your Cloud Shell window and run it.
Use Cloud Shell to create the second domain controller instance:
gcloud compute instances create ad-dc2 --machine-type n1-standard-2 \ --boot-disk-size 50GB \ --boot-disk-type pd-ssd \ --image-family windows-2016 --image-project windows-cloud \ --can-ip-forward \ --network ${vpc_name} \ --zone ${zone_2} \ --subnet private-ad-zone-2 \ --private-network-ip=10.2.0.100
Wait approximately one minute, and then create a password for the Windows instance
ad-dc2
:gcloud compute reset-windows-password ad-dc2 --zone ${zone_2} --quiet
The username is your Google account username. Note the username and password for future use.
Use RDP to connect to the domain controller instance with the credentials you created in the previous step.
Open a PowerShell terminal as Administrator.
Install Active Directory Domain Services, including Management Tools:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Set the following variables:
$DomainName = "example-gcp.com" $DomainPrefix = "EXAMPLE-GCP" $DNSPrimary = "10.1.0.100" $DNSSecondary = "127.0.0.1" $LocalStaticIp = "10.2.0.100" $DefaultGateway = "10.2.0.1" $DatabasePath = "C:\Windows\NTDS" $SysvolPath = "C:\Windows\SYSVOL" $LogPath = "C:\Logs"
Configure the primary DNS server:
netsh interface ip set dns Ethernet static $DNSPrimary
Configure the second server so that it acts as its own secondary DNS server:
netsh interface ip add dns Ethernet $DNSSecondary index=2
The
ad-dc2
DNS server will be available only afterad-dc2
is joined to the domain as a domain controller. Because the server hasn't been joined yet, you see the following message, but you can ignore it:The configured DNS server is incorrect or does not exist.
Set the IP address and default gateway:
netsh interface ip set address name=Ethernet static ` $LocalStaticIp 255.255.255.0 $DefaultGateway 1
Run the following PowerShell script, which will let you know when the first domain controller becomes operational. Wait until you see the
Domain controller is reachable
message.$DomainIsReady=$False For ($i=0; $i -le 30; $i++) { nltest /dsgetdc:$DomainName if($LASTEXITCODE -ne 0) { Write-Host "Domain not ready, wait 1 more minute, then retry" Start-Sleep -s 60 } else { $DomainIsReady=$True Write-Host "Domain controller is reachable" break } } if($DomainIsReady -eq $False) { Write-Host "Domain not ready. Check if it was deployed ok" }
Add the virtual machine to the forest as a second domain controller:
Install-ADDSDomainController ` -Credential (Get-Credential "$DomainPrefix\Administrator") ` -CreateDnsDelegation:$false ` -DatabasePath $DatabasePath ` -DomainName $DomainName ` -InstallDns:$true ` -LogPath $LogPath ` -SysvolPath $SysvolPath ` -NoGlobalCatalog:$false ` -SiteName 'Default-First-Site-Name' ` -NoRebootOnCompletion:$true ` -Force:$true
When you're prompted to provide a password for the Administrator account, use the Administrator credentials you defined during Active Directory forest installation. Add the domain name as a prefix, as in
EXAMPLE-GCP\Administrator
.When you're prompted to enter a Safe Mode Administrator password, use the same password you used for the first domain controller.
Ignore the following warnings. Each warning appears twice: once during prerequisites verification, and a second time during the installation process.
WARNING: Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).WARNING: A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "example-gcp.com". Otherwise, no action is required.
Restart the virtual machine:
Restart-Computer
Testing the installation
Wait 5 to 10 minutes to make sure that both domain controllers are operational and are replicating information.
Using RDP, connect to the first domain controller instance using the Administrator credentials you defined during the first domain controller installation. Add the domain name as a prefix, as in
EXAMPLE-GCP\Administrator
.Open a PowerShell terminal as Administrator.
Test that replication is working:
repadmin /replsum
The output should resemble the following, with no errors or failures.
If the domain controller is not available, you see a message like the following:
Beginning data collection for replication summary, this may take awhile:
.... Source DSA largest delta fails/total %% error
Destination DSA largest delta fails/total %% errorIf you see this message, wait a couple of minutes and then retry the command.
Clean up
If you want to continue to the next tutorial in this series (Deploying a multi-subnet SQL Server), keep the resources that you created in this tutorial. However, if you don't intend to use the Active Directory environment that you created in this tutorial, go ahead and clean up the resources you created on Google Cloud so you won't be billed for them. The following sections describe how to delete or turn off these resources.
Deleting the project
The easiest way to eliminate billing is to delete the project that you created for the tutorial.
To delete the project:
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
Deleting instances
To delete a Compute Engine instance:
- In the Google Cloud console, go to the VM instances page.
- Select the checkbox for the instance that you want to delete.
- To delete the instance, click More actions, click Delete, and then follow the instructions.
Deleting VPC networks
To delete the VPC network, subnets, and firewall rules:
In the Google Cloud console, go to the VPC networks page.
Select the VPC network you created.
Click the Delete button at the top of the page.
What's next
- Continue to the next tutorials in this series:
- Learn more about patterns for using Active Directory in a hybrid environment.
- Review best practices for enterprise organizations.
- Explore reference architectures, diagrams, tutorials, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.