This document describes how to create a multisite and extended Active Directory (AD) deployment on Google Cloud through itopia Cloud Automation Stack (CAS) with disaster recovery (DR) capabilities. It includes the system requirements, architecture, and steps to accomplish the deployment.
The purpose of this document is to explain how to create multiple Active Directory (AD) sites in different regions on Google Cloud. These AD sites can serve for hosting different geographically located sites. The tutorial also provides a reference on how to use those sites as disaster recovery sites.
- Launch instances in different regions and zones.
- Create a virtual private network (VPN) between the on-premises site and multiple Google Cloud sites.
This tutorial uses the following billable components of Google Cloud:
- Compute Engine
- Networking bandwidth and VPN
Before you begin
In the Google Cloud Console, go to the project selector page.
Select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
administrative credentials for the client site domain
for the following admin accounts:
- Default and custom networks
- Google Cloud creates a default network for all deployments with the 10.128.0.0/9 network, which it then subdivides into smaller /20 subnets. In the event that you are already using one of those /20 or even the larger /9 subnet locally, you can create a custom network through itopia CAS.
- Google Cloud site
- The first site deployed on Google Cloud is the site geographically closest to the on-premises site and serves as the lowest-cost replication site for the DR plan. The site link to this site has the lowest cost between all of the sites deployed to Google Cloud.
- Google Cloud site connectivity
- By default, regardless of the region, all sites are interconnected because of the default network created for each project and route. Google Cloud creates a 10.128.0.0/9 subnet, breaks it up into smaller /20 subnets for each region, and creates a route to allow all communication between the larger /9 network.
- An independent geographic area that consists of zones.
- A site consists of redundant domain controllers. Each site is deployed in a different geographical region in Google Cloud and all redundant instances are deployed in different zones within the same region.
- Site and subnets
- Google Cloud automatically creates a network for each site, depending on the region selected. That network also serves as the AD replication subnet for that site.
- A deployment area within a region. Deploying in multiple zones ensures that you maintain necessary fault-tolerance levels.
The following architectural diagram illustrates how the AD sites are split between on-premises sites and Google Cloud regions:
- On-premises is the AD site from which the software is extending the domain. Your existing infrastructure is used to create new domain controllers in Google Cloud. The Flexible Single Master Operations (FSMO) roles are located in this site.
Google Cloud regions are used for each AD replication site. Regions are selected during the deployment process and secondary domain controllers are created in different zones of each region.
- AD site replication links are created and costs are calculated based on geographical proximity to the on-premises AD and to other sites.
- Either an interconnect with your site or a VPN is required in order to connect the on-premises site to the Google Cloud replication sites.
Building a Google Cloud deployment with CAS
In this section, you build an Active Directory–based disaster recovery deployment with CAS.
In itopia, go to All Deployments.
Click the Plus icon, and then click Add.
In the Create Deployment window, enter a name for the deployment, select Active Directory, and then click Next.
In the Deployment configuration section under Active Directory, click Existing Domain, fill in the following fields, and then click Next.
- Delegated admin: Enter your domain admin username (in UPN or domain\samaccountname format).
- Domain admin password
- DNS servers IP
In the GCP configuration section, select an existing Google Cloud project or create a new one. If you create a new project through the itopia CAS portal, connect the on-premises network with Google Cloud.
In the Google Cloud Regions section, select the Google Cloud regions where you want to deploy.
Click the Primary region. The primary region is the region geographically closest to your site for the lowest latency.
The Compute Engine Instances section lists automatically deployed instances. Itopia provides predefined resource values for each instance. Modify the instances based upon your deployment requirements, and then click Next.
- To edit an instance that's already deployed, click the Edit icon.
- To add an additional instance, click the Plus icon.
In the Summary section, review your deployment settings, select the Authorization checkbox, and then click Deploy.
Create a VPN
When you start the deployment, itopia checks whether there is connectivity between your site and Google Cloud. If your AD fails to connect, itopia CAS can't extend your AD to Google Cloud. To resolve the issue, first, verify the domain credentials and the domain IP address.
If you're still unable to connect, follow these steps to create a VPN:
Click Create VPN.
Enter a name and description. Click the Plus icon.
In the Add Tunnel window, complete the following fields, and then click Save.
- Remote peer address: Enter a static IP address for your on-premises IP address.
- IKE version: IKEv2 is preferred, but IKEv1 is supported. For more information, see Supported IKE Ciphers.
- Shared secret: A generated unique key. Save a copy for your records.
- Remote Network IP ranges: The ranges of the peer network, which is the network on the other side of the VPN tunnel from the Google Cloud VPN gateway.
- Local IP ranges: Enter the IP ranges that you want routed through the VPN tunnel.
After you click Save, wait 5 to 10 minutes for the VPN tunnel to be created. In the meantime, the VPN appears as "Pending Update" in itopia CAS.
Create firewall rules
The VPN tunnel doesn't open up any firewall rules between your on-premises network and Google Cloud. In order to allow traffic from your on-site network, create two firewall rules.
Go to Google Cloud Console.
Go to VPC network > Firewall rules.
Click Create Firewall Rule.
In the Create a firewall rule window, complete the following fields, and then click Create.
- Name: Enter
- Network: Click Default.
- Priority: Enter
- Direction of traffic: Click Ingress.
- Action on match: Click Allow.
- Targets: Select All instances in the network.
- Source filter: Select IP ranges.
- Source IP ranges: Enter
- Second source filter: Select None.
Protocols and ports: Click Specified protocols and ports and enter the following information:
- In the tcp field, enter
42, 53, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 1512, 4912-65535, 1723, 3389.
- In the udp field, enter
42, 53, 88, 123, 137, 138, 139, 464, 1512.
- In the Other protocols field, enter
- In the tcp field, enter
- Name: Enter
Provisioning a domain extension
During a domain extension to Google Cloud, itopia CAS does the following:
- Deploys a minimum of two instances per region for domain controllers.
- Prepares the instances with DNS information to let them communicate with the local domain.
- Joins instances to the existing domain.
- Promotes instances to domain controllers on Google Cloud.
- Creates replication sites and subnets.
- Calculates site link costs based on Google Cloud inter-site latency.
- Assigns costs to site links for best replication paths.
Active Directory replication sites
Once the domain controllers are created, for each DR site deployed to Google Cloud, itopia CAS automatically creates the following:
- AD replication sites
- Site links
In addition, CAS automatically calculates the costs for each site link based on the latency between each region.
Managing an Active Directory deployment with itopia
By deploying an AD with itopia and integrated with Google Cloud, you can automate the following management tasks:
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the project
- In the Cloud Console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
- Learn more about other patterns for using Active Directory in a hybrid environment
- Explore reference architectures, diagrams, tutorials, and best practices about Google Cloud. Take a look at our Cloud Architecture Center.