Deploying an Active Directory-based Disaster Recovery with itopia Cloud Automation Stack

By: Alejandro Clavero, Senior Systems Engineer, itopia

This document describes how to create a multisite and extended Active Directory (AD) deployment on Google Cloud through itopia Cloud Automation Stack (CAS) with disaster recovery (DR) capabilities. It includes the system requirements, architecture, and steps to accomplish the deployment.

The purpose of this document is to explain how to create multiple Active Directory (AD) sites in different regions on Google Cloud. These AD sites can serve for hosting different geographically located sites. The tutorial also provides a reference on how to use those sites as disaster recovery sites.


  • Launch instances in different regions and zones.
  • Create a virtual private network (VPN) between the on-premises site and multiple Google Cloud sites.


This tutorial uses the following billable components of Google Cloud:

  • Compute Engine
  • Networking bandwidth and VPN

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

Before you begin

  1. In the Google Cloud Console, go to the project selector page.

    Go to project selector

  2. Select or create a Google Cloud project.

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Create administrative credentials for the client site domain for the following admin accounts:
    • Domain
    • Enterprise
    • Schema
    • Delegated

Key terms

Default and custom networks
Google Cloud creates a default network for all deployments with the network, which it then subdivides into smaller /20 subnets. In the event that you are already using one of those /20 or even the larger /9 subnet locally, you can create a custom network through itopia CAS.
Google Cloud site
The first site deployed on Google Cloud is the site geographically closest to the on-premises site and serves as the lowest-cost replication site for the DR plan. The site link to this site has the lowest cost between all of the sites deployed to Google Cloud.
Google Cloud site connectivity
By default, regardless of the region, all sites are interconnected because of the default network created for each project and route. Google Cloud creates a subnet, breaks it up into smaller /20 subnets for each region, and creates a route to allow all communication between the larger /9 network.
An independent geographic area that consists of zones.
A site consists of redundant domain controllers. Each site is deployed in a different geographical region in Google Cloud and all redundant instances are deployed in different zones within the same region.
Site and subnets
Google Cloud automatically creates a network for each site, depending on the region selected. That network also serves as the AD replication subnet for that site.
A deployment area within a region. Deploying in multiple zones ensures that you maintain necessary fault-tolerance levels.


The following architectural diagram illustrates how the AD sites are split between on-premises sites and Google Cloud regions:

Architecture of itopia deployment with Google Cloud

  • On-premises is the AD site from which the software is extending the domain. Your existing infrastructure is used to create new domain controllers in Google Cloud. The Flexible Single Master Operations (FSMO) roles are located in this site.
  • Google Cloud regions are used for each AD replication site. Regions are selected during the deployment process and secondary domain controllers are created in different zones of each region.

    • AD site replication links are created and costs are calculated based on geographical proximity to the on-premises AD and to other sites.
    • Either an interconnect with your site or a VPN is required in order to connect the on-premises site to the Google Cloud replication sites.

Building a Google Cloud deployment with CAS

In this section, you build an Active Directory–based disaster recovery deployment with CAS.

  1. In itopia, go to All Deployments.

  2. Click the Plus icon, and then click Add.

  3. In the Create Deployment window, enter a name for the deployment, select Active Directory, and then click Next.

  4. In the Deployment configuration section under Active Directory, click Existing Domain, fill in the following fields, and then click Next.

    • Delegated admin: Enter your domain admin username (in UPN or domain\samaccountname format).
    • Domain admin password
    • DNS servers IP

    Deployment configuration for active directory

  5. In the GCP configuration section, select an existing Google Cloud project or create a new one. If you create a new project through the itopia CAS portal, connect the on-premises network with Google Cloud.

    Google Cloud configuration in itopia

  6. In the Google Cloud Regions section, select the Google Cloud regions where you want to deploy.

  7. Click the Primary region. The primary region is the region geographically closest to your site for the lowest latency.

    Primary region selection

  8. The Compute Engine Instances section lists automatically deployed instances. Itopia provides predefined resource values for each instance. Modify the instances based upon your deployment requirements, and then click Next.

    • To edit an instance that's already deployed, click the Edit icon.
    • To add an additional instance, click the Plus icon.

    Compute Engine instances modification

  9. In the Summary section, review your deployment settings, select the Authorization checkbox, and then click Deploy.

    Summary section to authorize changes

Create a VPN

When you start the deployment, itopia checks whether there is connectivity between your site and Google Cloud. If your AD fails to connect, itopia CAS can't extend your AD to Google Cloud. To resolve the issue, first, verify the domain credentials and the domain IP address.

If you're still unable to connect, follow these steps to create a VPN:

  1. Click Create VPN.

    Create VPN button

  2. Enter a name and description. Click the Plus icon.

    Add a VPN

  3. In the Add Tunnel window, complete the following fields, and then click Save.

    • Remote peer address: Enter a static IP address for your on-premises IP address.
    • IKE version: IKEv2 is preferred, but IKEv1 is supported. For more information, see Supported IKE Ciphers.
    • Shared secret: A generated unique key. Save a copy for your records.
    • Remote Network IP ranges: The ranges of the peer network, which is the network on the other side of the VPN tunnel from the Google Cloud VPN gateway.
    • Local IP ranges: Enter the IP ranges that you want routed through the VPN tunnel.

    Tunnel settings

After you click Save, wait 5 to 10 minutes for the VPN tunnel to be created. In the meantime, the VPN appears as "Pending Update" in itopia CAS.

Create firewall rules

The VPN tunnel doesn't open up any firewall rules between your on-premises network and Google Cloud. In order to allow traffic from your on-site network, create two firewall rules.

  1. Go to Google Cloud Console.

    OPEN Cloud Console

  2. Go to VPC network > Firewall rules.

  3. Click Create Firewall Rule.

    Create firewall rule button

  4. In the Create a firewall rule window, complete the following fields, and then click Create.

    • Name: Enter on-site-network.
    • Network: Click Default.
    • Priority: Enter 1000.
    • Direction of traffic: Click Ingress.
    • Action on match: Click Allow.
    • Targets: Select All instances in the network.
    • Source filter: Select IP ranges.
    • Source IP ranges: Enter
    • Second source filter: Select None.
    • Protocols and ports: Click Specified protocols and ports and enter the following information:

      • In the tcp field, enter 42, 53, 88, 135, 137, 139, 389, 445, 464, 636, 3268, 3269, 1512, 4912-65535, 1723, 3389.
      • In the udp field, enter 42, 53, 88, 123, 137, 138, 139, 464, 1512.
      • In the Other protocols field, enter icmp.

    Firewall rule settings

Provisioning a domain extension

During a domain extension to Google Cloud, itopia CAS does the following:

  • Deploys a minimum of two instances per region for domain controllers.
  • Prepares the instances with DNS information to let them communicate with the local domain.
  • Joins instances to the existing domain.
  • Promotes instances to domain controllers on Google Cloud.
  • Creates replication sites and subnets.
  • Calculates site link costs based on Google Cloud inter-site latency.
  • Assigns costs to site links for best replication paths.

Active Directory replication sites

Once the domain controllers are created, for each DR site deployed to Google Cloud, itopia CAS automatically creates the following:

  • AD replication sites
  • Subnets
  • Site links

In addition, CAS automatically calculates the costs for each site link based on the latency between each region.

Managing an Active Directory deployment with itopia

By deploying an AD with itopia and integrated with Google Cloud, you can automate the following management tasks:

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next