Common questions

This page provides answers to some common questions about Google Cloud's Managed Service for Microsoft Active Directory.

Which user account can I use to administer the Managed Microsoft AD?

When you create a new domain, Managed Microsoft AD automatically creates a delegated administrator account. You can use this user account to manage the Active Directory objects in your domain. The delegated administrator account doesn't have the Domain Administrator and Enterprise Administrator permissions, because Managed Microsoft AD is a managed service and Google reserves the right to use these permissions.

What are the capabilities of a delegated administrator account?

The delegated administrator account has the permissions to perform a specific list of administrative activities to manage the Active Directory objects. The delegated administrator account doesn't have the permissions to perform any other administrative activities. For example, a delegated administrator can't create and manage the domain-level policies, and it can't perform administrative tasks such as backing up and restoring domains and extending the schema using the standard AD tools. For more information, see Delegated administrator.

However, you can use these features through Managed Microsoft AD. Any user who has the necessary permissions to back up and restore a domain and extend the schema can initiate these tasks.

How can I manage organizational units (OU)?

When you create a new domain, Managed Microsoft AD automatically creates the Cloud and Cloud Service Objects OUs along with other default Active Directory objects. For more information about managing these objects, see Manage Active Directory objects.

How can I manage group policy objects (GPO)?

By default, Managed Microsoft AD creates the Cloud Service Default Computer Policy GPO along with other default Active Directory objects and links it to the Cloud OU. If you need additional GPOs, you can create custom GPOs and add them to either the Cloud OU or to any other custom OUs that you have created under the Cloud OU. For more information about managing these objects, see Manage Active Directory objects.

How are domain controllers deployed?

Managed Microsoft AD creates domain controllers as VMs in dedicated Virtual Private Cloud (VPC) networks. Managed Microsoft AD then connects the domain controller VPC networks to your other existing VPC networks using VPC Network Peering.

For more information, see Deploy an Active Directory resource forest.

What are the supported Windows and Linux versions that I can join to a domain?

For information about the supported Windows and Linux versions that you can join to a domain, see Compatible OS versions.

When I create a new Managed Microsoft AD domain, how can I select the suitable IP address range?

Managed Microsoft AD requires a minimum of a /24 private RFC 1918 CIDR range, such as 10.1.0.0/24, that isn't already a subnet on your authorized VPC network.

For more information, see Select IP address ranges.

Where can I view the event logs for domain controllers?

You can view the event logs for domain controllers by setting up audit logging for the domain.

What should I expect during the maintenance of a domain controller? Is there any downtime during the maintenance?

Managed Microsoft AD ensures that there are at least two domain controllers running on each region for a domain in different availability zones. So, the domain remains available during patching. For more information, see Patching.

What is the timeline for applying security patches on domain controllers?

Managed Microsoft AD targets different timelines to apply different types of patches on domain controllers. For more information, see Patching schedule.

Can I restore my Active Directory data after a failure?

Managed Microsoft AD supports on-demand and automatic backups for your domain. You can use any of these backup types to perform an authoritative restore, which returns the domain to a previous point in time. For more information, see Back up and restore your domain.

Can I extend the Active Directory schema?

Yes, you can extend the Active Directory schema of your Managed Microsoft AD domain. For more information, see About schema extension.

Which time server do the domain controllers in Managed Microsoft AD use?

The domain controllers in Managed Microsoft AD sync their time with the metadata.google.internal time server. For more information, see Configure NTP on a VM.

Do I need to create a separate project for each Managed Microsoft AD domain?

No, you don't need separate Google Cloud projects. By default, you can create two independent domains in the same project. Contact support to increase the number of independent domains that you can create in the same project.