Creating a trust with an on-premises domain

This article shows you how to create a trust relationship between on-premises domains and a Managed Microsoft AD domain. This trust can be one-way or two-way. It can also span multiple forests. If you have already set up a trust, learn how to manage trusts.

Types of trusts

A trust relationship can be one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In this topic, the on-premises domain is the trusted or inbound side of the one-way trust and the Managed Microsoft AD domain is the trusting or outbound side of the relationship. A two-way trust is a bidirectional authentication path created between two domains. Trust and access flow in both directions.

Before you begin

Before you try to create a trust, verify that the on-premises domain is running a supported version of Windows.

Establishing network connectivity

First, establish network connectivity between your on-premises network and your Google Cloud Virtual Private Cloud (VPC), and then verify that the two networks can communicate. Learn more about identifying and establishing Cloud VPN connections.

Opening firewall ports

Next, configure the ingress/egress ports on your on-premises network and your Google Cloud VPC to allow Active Directory trust connectivity.

The following tables list the minimal set of ports required to establish trust. You may need to configure more ports, depending on your scenario. Learn more about Microsoft's Active Directory and Active Directory Domain Services Port Requirements.

Opening on-premises network firewall ports

Open the ports listed in the following table on your on-premises firewall to the CIDR IP block used by your VPC network and Managed Microsoft AD network.

Protocol Port Functionality
TCP, UDP 53 DNS
TCP, UDP 88 Kerberos
TCP, UDP 464 Kerberos password change
TCP 135 RPC
TCP 49152-65535 RPC
TCP, UDP 389 LDAP
TCP, UDP 445 SMB

Opening VPC network firewall ports

Open the ports listed in the following table on your VPC network firewall to the CIDR IP block used by your on-premises network.

Protocol Port Functionality
TCP, UDP 53 DNS

Configuring DNS conditional forwarders

Next, configure the DNS conditional forwarders. These settings allow you to provide hints for forwarding unresolvable requests to different DNS servers.

Checking for an inbound forwarding policy

Before creating an Cloud DNS inbound forwarding policy for your VPC, check if one exists.

  1. Open the Cloud DNS server policies page in the Cloud Console.
    Open the Cloud DNS page

  2. Look for a policy in the list where the Inbound column is set to On, and the VPC network used by your domain is listed in the drop-down under the In use by column.

If you find a valid existing policy, you can skip to Getting DNS IP addresses.

Creating an inbound forwarding policy

To create an inbound forwarding policy, complete the following steps.

  1. Open the Cloud DNS server policies page in the Cloud Console.
    Open the Cloud DNS page

  2. Select Create Policy.

  3. Enter a Name.

  4. Set Inbound query forwarding to On.

  5. Select the VPC network for your domain from the Networks menu.

  6. Select Create.

Getting DNS IP addresses

Next, get the DNS IP addresses for your Managed Microsoft AD domain. If you just created a new Cloud DNS policy, the IP addresses may not appear yet. If this happens, wait a few minutes and try again.

  1. Open the Cloud DNS server policies page in the Cloud Console.
    Open the Cloud DNS page

  2. Select your policy from the list, then select the In use by tab.

  3. Take a note of any IP addresses that apply to your on-premises region. You need these addresses to establish the trust on the Managed Microsoft AD domain.

Be sure the CIDR blocks containing these IP addresses are configured in your on-premises network firewall.

Creating the DNS conditional forwarder

To configure the DNS conditional forwarders on your on-premises domain, use the DNS IP addresses for your Managed Microsoft AD domain to complete the following steps.

  1. Log in to an on-premises domain controller with a Domain or Enterprise admin account for the on-premises domain.

  2. Open the DNS Manager.

  3. Expand the DNS server of the domain you want to configure the trust for.

  4. Right-click Conditional Forwarders and select New conditional forwarder.

  5. For DNS domain, enter the FQDN of the Managed Microsoft AD domain (for example, ad.example.com).

  6. In the IP addresses of the master servers field, enter the IP addresses of your Managed Microsoft AD domain that you looked up in Getting DNS IP addresses.

  7. If the Server FQDN field shows an error, you can ignore it.

  8. Select Store this conditional forwarder in Active Directory, and then select All DNS servers in this domain from the drop-down menu.

  9. Select OK.

Verifying the DNS conditional forwarder

You can verify that the forwarder is configured correctly by using nslookup or the Resolve-DnsName PowerShell cmdlet. Run the following command:

nslookup fqdn-for-managed-ad-domain

If the DNS conditional forwarder is configured correctly, this command returns the IP addresses of the domain controllers.

Verifying the Local Security Policy for your on-premises domain

Creating a trust requires that the Local Security Policy for your on-premises domain allows anonymous access to the netlogon, samr, and lsarpc named pipes. To verify that anonymous access is enabled, complete the following steps:

  1. Log in to an on-premises domain controller with a Domain or Enterprise admin account for the on-premises domain.

  2. Open the Local Security Policy console.

  3. In the console, go to Security Settings > Local Policies > Security Options > Network access: Named Pipes that can be accessed anonymously.

  4. Verify that anonymous access to netlogon, samr, and lsarpc is enabled.

Setting up the trust

After configuring your networks, you can create a trust between your on-premises domain and your Managed Microsoft AD domain.

Configuring the on-premises domain

To establish the trust on the on-premises domain, complete the following steps.

  1. Log in to an on-premises domain controller using a Domain or Enterprise administrator account.

  2. Open Active Directory Domains and Trusts.

  3. Right-click the domain and select Properties.

  4. On the Trust tab, select New trust.

  5. Select Next on the New Trust Wizard.

  6. Enter the FQDN of the Managed Microsoft AD domain as the Trust Name.

  7. For the Trust type, select Forest trust.

  8. Set the Direction of Trust.

    • To create a one-way trust, select One-way incoming.
    • To create a two-way trust, select Two-way.
  9. For Sides of Trust, select This domain only.

  10. For Outgoing Trust Authentication Level, select Forest-wide authentication.

  11. Enter the Trust Password (Note: You need this password to configure the trust on the Managed Microsoft AD domain).

  12. Confirm the trust settings, and then select Next.

  13. The Trust Creation Complete window is displayed.

  14. Select No, do not confirm the outgoing trust, then select Next.

  15. Select No, do not confirm the incoming trust, then select Next.

  16. In the Completing the New Trust Wizard dialog, select Finish.

  17. Refresh Name Suffix Routing for the trust.

Configuring the Managed Microsoft AD domain

To establish the trust on the Managed Microsoft AD domain, complete the following steps.

Console

  1. Open the Managed Microsoft AD page in the Cloud Console.
    Open the Managed Microsoft AD page

  2. Select the domain to create a trust for, and then select Create Trust.

  3. Set Trust type to Forest.

  4. For the Target domain name, enter the FQDN of the on-premises domain.

  5. Set the Trust direction.

    • To create a one-way trust, select Outbound.
    • To create a two-way trust, select Bidirectional.
  6. Enter the trust password you created when configuring the trust on the on-premises domain.

  7. For DNS Conditional Forwarder IPs, enter the on-premises DNS IP addresses you obtained during setup.

  8. Select Create Trust Relationship.

  9. You are returned to the domain page. Your new trust should show as Creating. Wait until the state turns to Connected. It can take up to 10 minutes for setup to complete.

gcloud

To create a one-way trust, run the following gcloud tool command:

gcloud active-directory domains trusts create domain \
    --target-dns-ip-addresses=target-dns-ip-addresses \
    --target-domain-name=target-domain-name \
    --direction=OUTBOUND

To create a two-way trust, run the following gcloud tool command:

gcloud active-directory domains trusts create domain \
    --target-dns-ip-addresses=target-dns-ip-addresses \
    --target-domain-name=target-domain-name \
    --direction=BIDIRECTIONAL

Learn more about the create command.

Validating two-way trust

After configuring the Managed Microsoft AD domain for a two-way trust, you must validate the outbound trust from on-premises domain. If you are creating a one-way trust, you can skip this step.

To verify the outbound trust, complete the following steps.

  1. Log in to an on-premises domain controller using a Domain or Enterprise administrator account.

  2. Open Active Directory Domains and Trusts.

  3. Right-click your domain, and then select Properties.

  4. On the Trust tab, select the outbound trust for the Managed Microsoft AD domain.

  5. Select Properties.

  6. On the General tab, select on Validate.

Troubleshooting

If you encounter problems while trying to create a trust, you can try our troubleshooting tips.

What's next