Configuring Windows Server nodes to automatically join an AD domain


This page provides instructions to configure your Windows Server nodes in your Google Kubernetes Engine (GKE) cluster to automatically join an Active Directory (AD) domain.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Ensure that you have enabled the Google Kubernetes Engine API.
  • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Cloud SDK.
  • Set up default gcloud command-line tool settings for your project by using one of the following methods:
    • Use gcloud init, if you want to be walked through setting project defaults.
    • Use gcloud config, to individually set your project ID, zone, and region.

    gcloud init

    1. Run gcloud init and follow the directions:

      gcloud init

      If you are using SSH on a remote server, use the --console-only flag to prevent the command from launching a browser:

      gcloud init --console-only
    2. Follow the instructions to authorize the gcloud tool to use your Google Cloud account.
    3. Create a new configuration or select an existing one.
    4. Choose a Google Cloud project.
    5. Choose a default Compute Engine zone.
    6. Choose a default Compute Engine region.

    gcloud config

    1. Set your default project ID:
      gcloud config set project PROJECT_ID
    2. Set your default Compute Engine region (for example, us-central1):
      gcloud config set compute/region COMPUTE_REGION
    3. Set your default Compute Engine zone (for example, us-central1-c):
      gcloud config set compute/zone COMPUTE_ZONE
    4. Update gcloud to the latest version:
      gcloud components update

    By setting default locations, you can avoid errors in gcloud tool like the following: One of [--zone, --region] must be supplied: Please specify location.

Configure auto join for Windows Server node pools

  1. Configure AD and your Google Cloud project for automatic joining by completing the instructions in the Configuring Active Directory for VMs to automatically join a domain tutorial.

  2. Create a GKE cluster:

    gcloud container clusters create CLUSTER_NAME \
        --enable-ip-alias \
        --num-nodes=NUMBER_OF_NODES \
        --no-enable-shielded-nodes \
        --cluster-version=VERSION
    

    Replace the following:

    • CLUSTER_NAME: the name of your new cluster.
    • NUMBER_OF_NODES: the number of Linux nodes to create. You should provide sufficient compute resources to run cluster add-ons. This is an optional field and, if omitted, uses the default value of 3.
    • VERSION: the GKE cluster version, which must be 1.17.14-gke.1200 or later or 1.18.9-gke.100 or later. You can also use the --release-channel flag to enroll the cluster in a release channel.
    • --enable-ip-alias turns on alias IP. Alias IP is required for Windows Server nodes.
    • --no-enable-shielded-nodes disables Shielded GKE nodes.
  3. Set the following variables:

    export DOMAIN_PROJECT_ID=PROJECT_ID
    export SERVERLESS_REGION=REGION
    export REGISTER_URL=https://$SERVERLESS_REGION-$DOMAIN_PROJECT_ID.cloudfunctions.net/register-computer
    

    Replace the following:

  4. Create and start a Windows Server node pool by passing the specialized scriptlet that joins the node to the AD domain:

     gcloud container node-pools create NODE_POOL_NAME \
        --cluster=CLUSTER_NAME \
        --image-type=IMAGE_NAME \
        --no-enable-autoupgrade \
        --machine-type=MACHINE_TYPE_NAME \
        "--metadata=sysprep-specialize-script-ps1=iex((New-Object System.Net.WebClient).DownloadString('$REGISTER_URL'))"
    

    Replace the following:

    • NODE_POOL_NAME: the name of your Windows Server node pool.
    • CLUSTER_NAME: the name of the cluster you created.
    • IMAGE_NAME: the node image to use, which can be WINDOWS_LTSC or WINDOWS_SAC. For more information, see Choose your Windows Server node image.
    • MACHINE_TYPE_NAME: the machine type. n1-standard-2 is the minimum recommended machine type as Windows Server nodes require additional resources. Machine types f1-micro and g1-small are not supported. Each machine type is billed differently. For more information, refer to the machine type price sheet.

Your Windows Server node is now joined to your Active Directory domain.

What's next