Setting up Active Directory on Google Compute Engine

Get Active Directory running on a Google Compute Engine instance easily and quickly. Configure Compute Engine instances as domain controllers, and add instances to the domain.

You can deploy Active Directory using the Google Cloud Platform Console and the gcloud command-line tool. In this tutorial, you create a single domain and three Compute Engine instances: two domain controllers and one machine joined to the domain. The domain controllers are placed in different zones to increase fault tolerance.

Objectives

Prerequisites

Create or select a Google Cloud project

  1. Go to the VM instances page in the Cloud Platform Console. Select an existing project or create a new project. If you create a new project, you might be prompted to enable billing. Make a note of your project ID, which might be different from your project name.

  2. When you go to the VM instances page, several APIs, including the Google Compute Engine API, are enabled for your project. To see the APIs that are enabled for your project, go to the Enabled APIs page.

Install the Google Cloud SDK

  1. Install the Google Cloud SDK. This SDK includes the gcloud tool, which you will need for the next step.

  2. Open a command window, and enter this command:

    gcloud init
    

Learn about Windows instances on Google Compute Engine

Familiarize yourself with the information in Creating Windows Virtual Machine Instances, especially the sections about creating a Windows instance, checking to see whether an instance has successfully started, and creating passwords for Windows instances.

Create a Windows Server 2008 R2 instance

  1. Create an instance named controller-1 in the us-central1-c zone.

    gcloud compute instances create controller-1 \
         --image-family windows-2008-r2 \
         --image-project windows-cloud \
         --can-ip-forward \
         --zone us-central1-c
    

    Notice that IP forwarding is enabled with the --can-ip-forward flag.

    The output lists the new instance and some of its properties:

    Created [https://www.googleapis.com/compute/v1/projects/my-project/zones/us-central1-c/instances/controller-1].
    NAME         ZONE          MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP    STATUS
    controller-1 us-central1-c n1-standard-1             10.240.0.2  104.197.69.234 RUNNING

  2. To see detailed information about your instance:

    gcloud compute instances describe controller-1
    

    The output includes information about forwarding and IP addresses:

    canIpForward: true
    ...
    name: controller-1
    ...
    natIP: 104.197.69.234
    ...
    networkIP: 10.240.0.2
    ...

    You can see that IP forwarding is enabled, and you can see both the internal IP address (networkIP) and the external IP address (natIP) for the instance.

Verify firewall rules

  1. Your project should already have a firewall rule that allows RDP traffic on port 3389. Verify that the firewall rule exists:

    gcloud compute firewall-rules list
    

    The output lists all the firewall rules in your project:

    NAME                   NETWORK SRC_RANGES    RULES                        SRC_TAGS TARGET_TAGS
    default-allow-icmp     default 0.0.0.0/0     icmp
    default-allow-internal default 10.240.0.0/16 tcp:1-65535,udp:1-65535,icmp
    default-allow-rdp      default 0.0.0.0/0     tcp:3389
    default-allow-ssh      default 0.0.0.0/0     tcp:22

Configure a static network IP address

  1. Create a forwarding route:

    gcloud compute routes create my-route-1 \
        --destination-range 10.1.1.1/32 \
        --next-hop-instance controller-1 \
        --next-hop-instance-zone us-central1-c \
        --priority 1
    

    The output displays information about the new route:

    NAME       NETWORK DEST_RANGE  NEXT_HOP                             PRIORITY
    my-route-1 default 10.1.1.1/32 us-central1-c/instances/controller-1 1

  2. Follow the steps described in Configure a static network IP address to set up a static network IP address for controller-1. Use 10.1.1.1 as your static IP address. You can skip the first few steps in the list, because you've already done them. Start with step 5, which describes logging in to your instance through an RDP client.

Enable Active Directory Domain Services

  1. In the Windows Desktop of your instance, from the Start menu, type Server Manager and select it from the list.

  2. Click Roles and then Add Roles.

  3. Click Server Roles, and check Active Directory Domain Services.

  4. If prompted, click Add Required Features to install the .NET Framework.

  5. Finish the wizard.

Promote the instance to a domain controller

  1. From the Start menu, type dcpromo and select it from the list.

  2. As you go through the Active Directory Domain Services Installation Wizard, choose these options:

    • Create a new domain in a new forest.
    • For FQDN, enter abcd.example.com.
    • For Forest functional level, select Windows Server 2008 R2.
    • Check the DNS server box.
    • Notice that the Global catalog box must be checked.
    • Click Yes, the computer will use an IP address automatically assigned by the DHCP server.
    • Enter a password for Directory Services Restore Mode.
  3. Before you finish the wizard, review your selections. Your selections will be similar to this:

    Configure this server as the first Active Directory domain controller in a new forest.
    The new domain name is "abcd.example.com". This is also the name of the new forest.
    The NetBIOS name of the domain is "ABCD".
    Forest Functional Level: Windows Server 2008 R2
    Domain Functional Level: Windows Server 2008 R2
    Site: Default-First-Site-Name

    Additional Options: Read-only domain controller: "No" Global catalog: Yes DNS Server: Yes

    Create DNS Delegation: No

    Database folder: C:\Windows\NTDS Log file folder: C:\Windows\NTDS SYSVOL folder: C:\Windows\SYSVOL

    The DNS Server service will be installed on this computer. The DNS Server service will be configured on this computer. This computer will be configured to use this DNS server as its preferred DNS server.

    The password of the new domain Administrator will be the same as the password of the local Administrator of this computer.

  4. Finish the wizard, and restart your instance.

  5. Enable time synchronization for the domain controller. The Windows Time Service should be synchronized against a reliable time source, such as the Compute Engine metadata server. To set the metadata server as the source, open a Command Prompt window as administrator in your Windows instance and enter this command:

    $  w32tm /config /manualpeerlist:"metadata.google.internal" /syncfromflags:manual /reliable:yes /update

Create a second instance

To increase fault tolerance, create a second domain controller instance in a different zone from your first instance.

  1. Create an instance named controller-2 in the us-central1-f zone:

    gcloud compute instances create controller-2 \
         --image-family windows-2008-r2 \
         --image-project windows-cloud \
         --can-ip-forward \
         --zone us-central1-f
    
  2. The output of the command lists the instance and some of its properties:

    Created [https://www.googleapis.com/compute/v1/projects/my-project/zones/us-central1-f/instances/controller-2].
    NAME         ZONE          MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP  STATUS
    controller-2 us-central1-f n1-standard-1             10.240.0.4  23.236.61.59 RUNNING

  3. To see detailed information about your instance:

    gcloud compute instances describe controller-2
    

Enable Active Directory Domain Services for your second instance

  1. Do these steps as you did for controller-1. Recall that controller-1 uses 10.1.1.1 as its static IP address. For controller-2, create a route named my-route-2, and use 10.1.1.2 as the static IP address.

    • Create or reset a Windows username and password
    • Verify firewall rules.
    • Create a forwarding route.
    • Establish an RDP connection to your instance.
    • Create a static IP address.
    • Enable Active Directory Domain Services.

Verify that your static IP addresses work

  1. View information about your routes:

    gcloud compute routes list
    

    Check the output to make sure the IP addresses and zones are correct.

    my-route-1    default 10.1.1.1/32   us-central1-c/instances/controller-1 1
    my-route-2    default 10.1.1.2/32   us-central1-f/instances/controller-2 1

  2. In the Desktop of controller-1, open a Command Prompt window as Administrator, and enter ping 10.1.1.2.

  3. In the Desktop of controller-2, open a Command Prompt window as Administrator, and enter ping 10.1.1.1.

Promote your second instance to a domain controller

  1. Before you promote controller-2 to a domain controller, create a user in the Domain Admins group on controller-1.

    1. In the Desktop of controller-1, from the Start menu, type Active Directory Users and Computers and select it from the list.

    2. Expand abcd.example.com, right click Users, and select New >> User.

    3. Create a user named John Doe, and set User logon name to johndoe.

    4. In right pane, pane, double click Domain Admins, and add johndoe to the Domain Admins group.

  2. In the Desktop of controller-2, from the Start menu, type Network and Sharing Center and select it from the list. Open the properties for your loopback adapter. In the properties for Internet Protocol Version 4, set the DNS server address to 10.1.1.1, which is the static IP address controller-1.

    Now open the properties for your main network adapter. Just as you did for the loopback adapter, set the DNS server address to 10.1.1.1.

  3. In the Desktop of controller-2, from the Start menu, type dcpromo and press select it from the list.

    As you go through the Active Directory Domain Services Installation Wizard, choose these options:

    • Existing forest: Add a domain controller to an existing domain.
    • Enter the same domain: abcd.example.com.
    • Alternate Credentials: Enter the credentials of a user who is in the Domain Admins group on your first domain controller. For example, in this tutorial, John Doe is in the Domain Admins group on controller-1.
    • Check the DNS server box.
    • Check the Global catalog box.
    • Yes, the computer will use an IP address automatically assigned by the DHCP server.
    • Enter a password for Directory Services Restore Mode.

    Before you finish the wizard, review your selections.

Set up a third instance as a member of the domain

  1. In the VM instances page of the Cloud Platform Console, create a new Windows Server 2008 R2 instance. Create a Windows username and password for your new instance, and establish an RDP connection to your instance.

  2. In the Windows Desktop of your new instance, from the Start menu, type Network and Sharing Center and select it from the list. Open the properties for your network adapter. In the properties for Internet Protocol Version 4, set the DNS server addresses to 10.1.1.1 and 10.1.1.2.

  3. In the Windows Desktop of your new instance, on the Start menu, right click Computer, and choose Properties. Go to Advanced system settings > Computer Name. To change the computer's domain or workgroup, click Change. For the domain, enter abcd.example.com. Click OK. If you are prompted for a username and password, use johndoe. When your instance has been joined to the domain, a dialog box displays "Welcome to the abcd.example.com" domain.

Send feedback about...

Compute Engine Documentation