CIDR ranges for Managed Service for Microsoft Active Directory domain controllers cannot be changed after they are set. To avoid conflicts and time-consuming mistakes, you should carefully consider your current and future infrastructure needs when selecting these ranges. This topic identifies important considerations and helps you select the appropriate IP address ranges for your domains.
Using a /24 range size
Managed Microsoft AD requires a minimum of /24 private RFC 1918 CIDR range, such as
192.168.255.0/24. Although you can select a broader private RFC 1918 CIDR range, we highly recommend
using /24 because this range will be exclusively reserved for domain
controllers. No other resources will be able to use the additional IP addresses
in the range.
Avoiding overlapping ranges
You should avoid setting ranges that might overlap with current and future infrastructure.
Asking your network specialist
Check if there is a network specialist in your organization who can help you identify or reserve safe IP ranges.
Listing IP ranges in use
To avoid conflicts with existing infrastructure, you can list which IP address ranges are currently in use, and then use one that is not in the list.
Console
To view the IP address ranges in use on your VPC network, complete the following steps:
Go to the VPC page in the Cloud console.
Go to the VPC pageSelect the name of your VPC network.
On the VPC Network details page, in the IP address ranges column, you can see which ranges are already in use.
You should use an IP address range not shown in the list.
gcloud
To list all subnetworks in a project, run the following gcloud CLI command.
gcloud compute networks subnets list --sort-by=NETWORK
You should use an IP address range not shown in the list.
Learn more about the
compute networks subnets list command.
Considering future needs
To avoid future conflicts, consider your infrastructure plans. If you plan to add any authorized networks, check for potential future conflicts. For instance, if you plan to configure a VPN or Interconnect from the authorized networks to your on-premises networks, you should select an IP range that is not used on any of those networks.
Separating test and production
To prevent development and testing work from impacting production workloads or hampering the security of your deployment, consider deploying separate domains for each.
For a simple isolated test domain, any private CIDR /24 range that isn't already a subnet on your authorized network VPC or one of its peers is sufficient.