Deploy Managed Microsoft AD with cross-project access using domain peering
Stay organized with collections
Save and categorize content based on your preferences.
This topic shows you how to configure domain peering between Managed Service for Microsoft Active Directory (Managed Microsoft AD) and Shared VPC. This allows you to make Managed Microsoft AD available to service projects attached to Shared VPC.
Overview
Domain peering in Managed Microsoft AD creates a domain peering resource in each domain resource and VPC resource projects. Managed Microsoft AD domain can be made available to all the projects attached to the Shared VPC by creating a domain peering between Managed Microsoft AD and Shared VPC. For example, you can authenticate and login to SQL Server using Managed Microsoft AD domain, where SQL Server and Managed Microsoft AD are in different service projects that are attached to the Shared VPC.
Before you begin
Before you begin, do the following:
In the Google Cloud console, on the project selector page, select or create three Google Cloud projects. They are called host and service projects. The host project is where the Shared VPC is enabled. Managed Microsoft AD domain and Cloud SQL instances must reside in different service projects. The VMs could reside in one of the service projects.
Enable Shared VPC on the host project. For more information, see Enable a host project.
Attach the service project(s) to the Shared VPC network. Each of the projects need to have Compute Engine API enabled. For the purpose of this example, we recommend creating separate subnets in the Shared VPC. While attaching the project, choose the appropriate subnet for each of the project(s). For more information, see Attach service projects.
Create a Managed Microsoft AD domain in the service project. The VPC network authorized while creating the Managed Microsoft AD domain is independent of the Shared VPC networks. To create a Managed Microsoft AD domain without an authorized network, use the gcloud CLI command.
Configure domain peering
Create domain peering from the service project having the domain resource to the Shared VPC network. For more information about domain peering, see Configure domain peering.
PEERING-RESOURCE-NAME: A name for your domain peering resource (such as my-domain-peering).
DOMAIN-RESOURCE-NAME: The full resource name of your
Managed Microsoft AD domain, in the form of:
projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.
SHARED-VPC-NAME: The full resource name of your
Shared VPC network, in the form of:
projects/PROJECT-ID/global/networks/NETWORK-NAME.
List the domain peerings to verify the state. Run the following gcloud CLI command:
gcloud active-directory peerings list --project=PROJECT_ID
Replace PROJECT_ID with the project ID of the service project that is used to create your domain peering resource.
It returns the state as DISCONNECTED.
Create the reverse domain peering from the host project.
PEERING-RESOURCE-NAME: A name for your domain peering resource (such as my-domain-peering).
DOMAIN-RESOURCE-NAME: The full resource name of your
Managed Microsoft AD domain, in the form of:
projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.
SHARED-VPC-NAME: The full resource name of your
Shared VPC network, in the form of:
projects/PROJECT-ID/global/networks/NETWORK-NAME.
VPC-RESOURCE-PROJECT-ID: The project ID of the host project that is hosting the Shared VPC.
List the domain peerings again to verify the state. Run the following gcloud CLI command:
gcloud active-directory peerings list --project=PROJECT_ID
Replace PROJECT_ID with the project ID of the service project that is used to create your domain peering resource.
It returns the state as CONNECTED from both the host and service projects.
Configure the Cloud SQL (SQL Server) instance
Create the Cloud SQL (SQL Server) instance in the service project with Private IP enabled and select the network of the Shared VPC. For more information, see Create an instance with Windows Authentication.
After the domain peering is complete, modify the Cloud SQL (SQL Server) configuration to use your Managed Microsoft AD domain for authentication. Run the following gcloud CLI command:
INSTANCE-NAME: The name of your Cloud SQL instance in the service project.
DOMAIN-RESOURCE-NAME: The full resource name of your
Managed Microsoft AD domain that you want to use for authentication. Full resource name format:
projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.
The SQL Server is now configured with Windows authentication enabled.
Test the setup
Create a Windows or Linux VM in the service project. While creating the VM, select the Shared VPC and the subnet which is shared in the Shared VPC with this service project.
Join the VM to a domain. For more information about joining a Windows VM to a domain, see Join a Windows VM to a domain.
You have domain peered a Managed Microsoft AD domain with the Shared VPC host and created SQL Server on the Shared VPC. With this domain peering, cross-project Windows authentication is enabled for SQL Server.
While in the above scenario Managed Microsoft AD and SQL Server are in different service projects, configuring them in the same service project is also supported.
Alternatively, you can also have the Managed Microsoft AD domain in the host project. In this case, Shared VPC needs to be added as an authorized network to the Managed Microsoft AD domain. For more information, see Adding authorized networks to an existing domain.
In all these scenarios through peering with Shared VPC, the domain is available to the service project(s) attached to the Shared VPC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Deploy Managed Microsoft AD with cross-project access using domain peering\n\nThis topic shows you how to configure domain peering between Managed Service for Microsoft Active Directory (Managed Microsoft AD) and Shared VPC. This allows you to make Managed Microsoft AD available to service projects attached to Shared VPC.\n\nOverview\n--------\n\n[Domain peering](/managed-microsoft-ad/docs/domain-peering) in Managed Microsoft AD creates a domain peering resource in each domain resource and VPC resource projects. Managed Microsoft AD domain can be made available to all the projects attached to the Shared VPC by creating a domain peering between Managed Microsoft AD and Shared VPC. For example, you can authenticate and login to SQL Server using Managed Microsoft AD domain, where SQL Server and Managed Microsoft AD are in different service projects that are attached to the Shared VPC.\n\nBefore you begin\n----------------\n\nBefore you begin, do the following:\n\n1. In the Google Cloud console, on the project selector page, select or create three Google Cloud projects. They are called host and service projects. The host project is where the Shared VPC is enabled. Managed Microsoft AD domain and Cloud SQL instances must reside in different service projects. The VMs could reside in one of the service projects.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n2. Enable billing for your Cloud project(s). For more information, see [Check if billing is enabled on a project](/billing/docs/how-to/modify-project#confirm_billing_is_enabled_on_a_project).\n\n3. Enable Shared VPC on the host project. For more information, see [Enable a host project](/vpc/docs/provisioning-shared-vpc#enable-shared-vpc-host).\n\n4. Attach the service project(s) to the Shared VPC network. Each of the projects need to have Compute Engine API enabled. For the purpose of this example, we recommend creating separate subnets in the Shared VPC. While attaching the project, choose the appropriate subnet for each of the project(s). For more information, see [Attach service projects](/vpc/docs/provisioning-shared-vpc#create-shared).\n\n5. [Create a Managed Microsoft AD domain](/managed-microsoft-ad/docs/create-domain) in the service project. The VPC network authorized while creating the Managed Microsoft AD domain is independent of the Shared VPC networks. To create a Managed Microsoft AD domain without an authorized network, use the gcloud CLI command.\n\nConfigure domain peering\n------------------------\n\n1. Create domain peering from the service project having the domain resource to the Shared VPC network. For more information about domain peering, see [Configure domain peering](/managed-microsoft-ad/docs/quickstart-domain-peering#configure_domain_peering).\n\n ```\n gcloud active-directory peerings create PEERING-RESOURCE-NAME \\\n --domain=DOMAIN-RESOURCE-NAME \\\n --authorized-network=SHARED-VPC-NAME\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePEERING-RESOURCE-NAME\u003c/var\u003e: A name for your domain peering resource (such as `my-domain-peering`).\n - \u003cvar translate=\"no\"\u003eDOMAIN-RESOURCE-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Managed Microsoft AD domain, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/locations/global/domains/`\u003cvar translate=\"no\"\u003eDOMAIN-NAME\u003c/var\u003e.\n - \u003cvar translate=\"no\"\u003eSHARED-VPC-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Shared VPC network, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/global/networks/`\u003cvar translate=\"no\"\u003eNETWORK-NAME\u003c/var\u003e.\n2. List the domain peerings to verify the state. Run the following gcloud CLI command:\n\n ```\n gcloud active-directory peerings list --project=PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID of the service project that is used to create your domain peering resource.\n\n It returns the state as `DISCONNECTED`.\n3. Create the reverse domain peering from the host project.\n\n ```\n gcloud active-directory peerings create PEERING-RESOURCE-NAME \\\n --domain=DOMAIN-RESOURCE-NAME \\\n --authorized-network=SHARED-VPC-NAME \\\n --project=VPC-RESOURCE-PROJECT-ID\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePEERING-RESOURCE-NAME\u003c/var\u003e: A name for your domain peering resource (such as `my-domain-peering`).\n - \u003cvar translate=\"no\"\u003eDOMAIN-RESOURCE-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Managed Microsoft AD domain, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/locations/global/domains/`\u003cvar translate=\"no\"\u003eDOMAIN-NAME\u003c/var\u003e.\n - \u003cvar translate=\"no\"\u003eSHARED-VPC-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Shared VPC network, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/global/networks/`\u003cvar translate=\"no\"\u003eNETWORK-NAME\u003c/var\u003e.\n - \u003cvar translate=\"no\"\u003eVPC-RESOURCE-PROJECT-ID\u003c/var\u003e: The project ID of the host project that is hosting the Shared VPC.\n4. List the domain peerings again to verify the state. Run the following gcloud CLI command:\n\n ```\n gcloud active-directory peerings list --project=PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID of the service project that is used to create your domain peering resource.\n\n It returns the state as `CONNECTED` from both the host and service projects.\n\nConfigure the Cloud SQL (SQL Server) instance\n---------------------------------------------\n\n1. Create the Cloud SQL (SQL Server) instance in the service project with Private IP enabled and select the network of the Shared VPC. For more information, see [Create an instance with Windows Authentication](/sql/docs/sqlserver/configure-ad#creating-an-instance-with-windows-authentication).\n\n2. After the domain peering is complete, modify the Cloud SQL (SQL Server) configuration to use your Managed Microsoft AD domain for authentication. Run the following gcloud CLI command:\n\n ```\n gcloud beta sql instances patch INSTANCE-NAME \\\n --active-directory-domain=DOMAIN-RESOURCE-NAME\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eINSTANCE-NAME\u003c/var\u003e: The name of your Cloud SQL instance in the service project.\n - \u003cvar translate=\"no\"\u003eDOMAIN-RESOURCE-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Managed Microsoft AD domain that you want to use for authentication. Full resource name format: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/locations/global/domains/`\u003cvar translate=\"no\"\u003eDOMAIN-NAME\u003c/var\u003e.\n\n For more information, see [Enable cross-project Windows authentication](/sql/docs/sqlserver/configure-ad#enable-cross-project-auth).\n\nThe SQL Server is now configured with Windows authentication enabled.\n\nTest the setup\n--------------\n\n1. Create a Windows or Linux VM in the service project. While creating the VM, select the Shared VPC and the subnet which is shared in the Shared VPC with this service project.\n2. Join the VM to a domain. For more information about joining a Windows VM to a domain, see [Join a Windows VM to a domain](/managed-microsoft-ad/docs/quickstart-domain-join-windows).\n3. Create a SQL Server login based on a Windows user or group. For more information, see [Connect to an instance with a user](/sql/docs/sqlserver/configure-ad#connecting-to-an-instance-with-a-user).\n4. Connect using the SQL Server's instance DNS name. For more information, see Step 2 in [Connect to an instance with a user](/sql/docs/sqlserver/configure-ad#connecting-to-an-instance-with-a-user).\n\nSummary\n-------\n\nYou have domain peered a Managed Microsoft AD domain with the Shared VPC host and created SQL Server on the Shared VPC. With this domain peering, cross-project Windows authentication is enabled for SQL Server.\n\nWhile in the above scenario Managed Microsoft AD and SQL Server are in different service projects, configuring them in the same service project is also supported.\n\nAlternatively, you can also have the Managed Microsoft AD domain in the host project. In this case, Shared VPC needs to be added as an authorized network to the Managed Microsoft AD domain. For more information, see [Adding authorized networks to an existing domain](/managed-microsoft-ad/docs/managing-authorized-networks#adding_authorized_networks_to_an_existing_domain).\n\nIn all these scenarios through peering with Shared VPC, the domain is available to the service project(s) attached to the Shared VPC."]]
