Deploying a Fault-Tolerant Microsoft Active Directory Environment

This tutorial is part of a series aimed at helping you deploy a highly available Windows architecture on Google Cloud Platform (GCP) with Microsoft Active Directory (AD), SQL Server, and Internet Information Services (IIS). In this tutorial, you set up a redundant pair of Windows Domain Controllers (DC) with AD using a new Virtual Private Cloud (VPC) network and multiple subnets.

You can also use this tutorial to learn to set up an AD configuration for use in other architectures. This guide does not cover replicating a remote AD environment to the new GCP-based AD environment, although this is possible with Cloud VPN and additional AD configuration.

Architecture

Fault-tolerant Active Directory architecture on GCP

Objectives

  • Create a custom mode VPC network with two subnets spanning two zones.
  • Create Windows Server virtual instances and enable AD Domain Services.
  • Configure a new domain with Active Directory.
  • Join the new Windows Server instances to the new domain.
  • Configure firewall rules to allow traffic to the virtual machines.
  • Test the configuration.

Costs

This tutorial uses billable components of Cloud Platform, including:

The Pricing Calculator estimates the cost of this environment at around $4 per day.

Before you begin

  1. Select or create a Cloud Platform project.

    Go to the Manage resources page

  2. Enable billing for your project.

    Enable billing

  3. Enable the Compute Engine API.

    Enable the API

Initializing common variables

You must define several variables that control where elements of the infrastructure are deployed.

  1. Using a text editor, edit the following script, substituting your project ID for [YOUR_PROJECT_ID]. The script sets the region to us-east-1. If you make any changes to the script, make sure that the zone values reference the region you specify.

    region=us-east1
    zone_1=${region}-b
    zone_2=${region}-c
    vpc_name=webappnet
    project_id=[YOUR_PROJECT_ID]
    

  2. Go to Cloud Shell.

    Open Cloud Shell

  3. Copy the script into your Cloud Shell window and run it.

  4. Run the following commands to set the default region and project ID so you don't have to specify these values in every subsequent command:

    gcloud config set compute/region ${region}
    gcloud config set project ${project_id}
    

Creating the network infrastructure

After you've defined the infrastructure variables, it's time to create the network and subnets that AD will use.

  1. In Cloud Shell, run the following command to create the VPC network:

    gcloud compute networks create ${vpc_name}  \
        --description "VPC network to deploy Active Directory" \
        --subnet-mode custom
    

    You'll receive the following warning, which you can ignore, because you'll create these firewall rules in later steps.

    Instances on this network will not be reachable until firewall rules
    are created.
    

  2. Add two subnets to the VPC network:

    gcloud compute networks subnets create private-ad-zone-2 \
        --network ${vpc_name} \
        --range 10.1.0.0/24

    gcloud compute networks subnets create private-ad-zone-1 \ --network ${vpc_name} \ --range 10.2.0.0/24

  3. Create an internal firewall rule to allow traffic between subnets:

    gcloud compute firewall-rules create allow-internal-ports-private-ad \
        --network ${vpc_name} \
        --allow tcp:1-65535,udp:1-65535,icmp \
        --source-ranges  10.1.0.0/24,10.2.0.0/24
    

  4. Create a firewall rule to allow an RDP connection on port 3389 from any location:

    gcloud compute firewall-rules create allow-rdp \
        --network ${vpc_name} \
        --allow tcp:3389 \
        --source-ranges 0.0.0.0/0
    

Creating the first domain controller

Next you'll create a domain controller that has the following properties:

  • Name: ad-dc1
  • IP Address: 10.1.0.100

  1. Create a Google Compute Engine instance of Windows Server 2016 to use as the first domain controller:

    gcloud compute instances create ad-dc1 --machine-type n1-standard-2 \
        --boot-disk-type pd-ssd \
        --boot-disk-size 50GB \
        --image-family windows-2016 --image-project windows-cloud \
        --network ${vpc_name} \
        --zone ${zone_2} --subnet private-ad-zone-2 \
        --private-network-ip=10.1.0.100
    

  2. Wait approximately one minute, and then create a password for the Windows instance ad-dc1:

    gcloud compute reset-windows-password ad-dc1 --zone ${zone_2} --quiet
    

    The username is your Google account username. Note the username and password for future use.

  3. Use RDP to connect to the domain controller instance with the credentials you created in the previous step.

  4. Open a PowerShell terminal as Administrator. (Click Start, type PowerShell, and then press Shift-Ctrl-Enter.)

  5. Set the Windows credentials for the Administrator account:

    net user Administrator *
    

    You're prompted to create a password. Use a strong password, and store the password in safe location for future use.

    The Administrator account will become a domain admin account after you've created the AD forest with it.

  6. Enable the account:

    net user Administrator /active:yes
    

  7. Install Active Directory Domain Services, including Management Tools:

    Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
    

  8. Set the following variables:

    $DomainName = "example-gcp.com"
    $DomainMode = "7"
    $ForestMode = "7"
    $DatabasePath = "C:\Windows\NTDS"
    $SysvolPath = "C:\Windows\SYSVOL"
    $LogPath = "C:\Logs"
    

  9. Install the new Active Directory forest configuration in Windows Server 2016 mode:

    Install-ADDSForest -CreateDnsDelegation:$false `
        -DatabasePath $DatabasePath `
        -LogPath $LogPath `
        -SysvolPath $SysvolPath `
        -DomainName $DomainName `
        -DomainMode $DomainMode `
        -ForestMode $ForestMode `
        -InstallDNS:$true `
        -NoRebootOnCompletion:$true `
        -Force:$true
    

  10. When you're prompted, enter a Safe Mode Administrator password. Store the password in a safe location for future use.

  11. Dismiss the following warnings. Each warning will appear two times, once during prerequisites verification and a second time during the installation process.

    WARNING: Windows Server 2016 domain controllers have a default for the
    security setting named Allow cryptography algorithms compatible with
    Windows NT 4.0 that prevents weaker cryptography algorithms when
    establishing security channel sessions.

    For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

    WARNING: This computer has at least one physical network adapter that does
    not have static IP address(es) assigned to its IP Properties. If both IPv4
    and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP
    addresses should be assigned to both IPv4 and IPv6 Properties of the
    physical network adapter. Such static IP address(es) assignment should be
    done to all the physical network adapters for reliable Domain Name
    System (DNS) operation.
    

    WARNING: A delegation for this DNS server cannot be created because the
    authoritative parent zone cannot be found or it does not run Windows DNS
    server. If you are integrating with an existing DNS infrastructure, you
    should manually create a delegation to this DNS server in the parent zone
    to ensure reliable name resolution from outside the domain "example-gcp.com".
    Otherwise, no action is required.
    

  12. Restart the virtual machine:

    Restart-Computer
    

  13. Use RDP to connect to domain controller ad-dc1 with the Administrator credentials you defined during the AD forest installation. Remember to add the domain name as a prefix, as in EXAMPLE-GCP\Administrator.

  14. Open a PowerShell terminal as Administrator.

  15. Set the following variables:

    $DNS1 = "10.2.0.100"
    $DNS2 = "127.0.0.1"
    $LocalStaticIp = "10.1.0.100"
    $DefaultGateway = "10.1.0.1"
    

  16. Set the IP address and default gateway:

    netsh interface ip set address name=Ethernet static `
        $LocalStaticIp 255.255.255.0 $DefaultGateway 1
    

  17. Configure the primary DNS server:

    netsh interface ip set dns Ethernet static $DNS1
    

    DNS server ad-dc2 will be available only after the second domain controller is deployed, so you can ignore the following error message:

    The configured DNS server is incorrect or does not exist.

  18. Configure the secondary DNS server:

    netsh interface ip add dns Ethernet $DNS2 index=2
    

    The DNS server entry for this domain controller, ad-dc1, should be second in the list in order to prevent AD from frequently losing connection with the other controller. Use the second domain controller, ad-dc2, as the primary DNS server. You'll create the ad-dc2 domain controller in the next section. If you don't follow this pattern, the following errors appear under Server Manager > Active Directory Domain Services:

    The DFS Replication service failed to update configuration in Active
    Directory Domain Services. The service will retry this operation
    periodically.
    

    You might see errors on the ad-dc1 server before both servers are fully configured. You can ignore these errors.

Creating the second domain controller

Next you'll create a second domain controller in a different zone to provide fault tolerance. The second domain controller has the following properties:

  • Name: ad-dc2
  • IP Address: 10.2.0.100

  1. If your Cloud Shell window has expired, open a new Cloud Shell instance and reset the variables you set earlier. To do that, edit the following script to specify the project ID and region you used earlier.

    region=us-east1
    zone_2=${region}-c
    zone_1=${region}-b
    vpc_name=webappnet
    project_id=[YOUR_PROJECT_ID]
    gcloud config set compute/region ${region}
    gcloud config set project ${project_id}
    

  2. Copy the script into your Cloud Shell window and run it.

  3. Use Cloud Shell to create the second domain controller instance:

    gcloud compute instances create ad-dc2 --machine-type n1-standard-2 \
        --boot-disk-size 50GB \
        --boot-disk-type pd-ssd \
        --image-family windows-2016 --image-project windows-cloud \
        --can-ip-forward \
        --network ${vpc_name} \
        --zone ${zone_1} \
        --subnet private-ad-zone-1 \
        --private-network-ip=10.2.0.100
    

  4. Wait approximately one minute, and then create a password for the Windows instance ad-dc2:

    gcloud compute reset-windows-password ad-dc2 --zone ${zone_1} --quiet
    

    The username is your Google account username. Note the username and password for future use.

  5. Use RDP to connect to the domain controller instance with the credentials you created in the previous step.

  6. Open a PowerShell terminal as Administrator.

  7. Install Active Directory Domain Services, including Management Tools:

    Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
    

  8. Set the following variables:

    $DomainName = "example-gcp.com"
    $DNS1 = "10.1.0.100"
    $DNS2 = "127.0.0.1"
    $LocalStaticIp = "10.2.0.100"
    $DefaultGateway = "10.2.0.1"
    $DatabasePath = "C:\Windows\NTDS"
    $SysvolPath = "C:\Windows\SYSVOL"
    $LogPath = "C:\Logs"
    

  9. Configure the primary DNS server:

    netsh interface ip set dns Ethernet static $DNS1
    

  10. Configure the second server so that it acts as its own secondary DNS server:

    netsh interface ip add dns Ethernet $DNS2 index=2
    

    The ad-dc2 DNS server will be available only after ad-dc2 is joined to the domain as a domain controller. Because the server hasn't been joined yet, you see the following message, but you can ignore it:

    The configured DNS server is incorrect or does not exist.

  11. Set the IP address and default gateway:

    netsh interface ip set address name=Ethernet static `
        $LocalStaticIp 255.255.255.0 $DefaultGateway 1
    

  12. Run the following PowerShell script, which will let you know when the first domain controller becomes operational. Wait until you see the Domain controller is reachable message.

    $DomainIsReady=$False
    For ($i=0; $i -le 30; $i++) {
        nltest /dsgetdc:example-gcp.com
        if($LASTEXITCODE -ne 0) {
            Write-Host "Domain not ready, wait 1 more minute, then retry"
            Start-Sleep -s 60
        }
        else {
            $DomainIsReady=$True
            Write-Host "Domain controller is reachable"
            break
        }
    }
    if($DomainIsReady -eq $False) {
        Write-Host "Domain not ready. Check if it was deployed ok"
    }
    

  13. Add the virtual machine to the forest as a second domain controller:

    Install-ADDSDomainController `
        -Credential (Get-Credential "EXAMPLE-GCP\Administrator") `
        -CreateDnsDelegation:$false `
        -DatabasePath $DatabasePath `
        -DomainName $DomainName `
        -InstallDns:$true `
        -LogPath $LogPath `
        -SysvolPath $SysvolPath `
        -NoGlobalCatalog:$false `
        -SiteName 'Default-First-Site-Name' `
        -NoRebootOnCompletion:$true `
        -Force:$true
    

  14. When you're prompted to provide a password for the Administrator account, use the Administrator credentials you defined during AD forest installation. Add the domain name as a prefix, as in EXAMPLE-GCP\Administrator.

  15. When you're prompted to enter a Safe Mode Administrator password, use the same password you used for the first domain controller.

  16. Ignore the following warnings. Each warning appears twice: once during prerequisites verification, and a second time during the installation process.

    WARNING: Windows Server 2016 domain controllers have a default for the
    security setting named "Allow cryptography algorithms compatible with
    Windows NT 4.0" that prevents weaker cryptography algorithms when
    establishing security channel sessions.

    For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).

    WARNING: A delegation for this DNS server cannot be created because the
    authoritative parent zone cannot be found or it does not run Windows DNS
    server. If you are integrating with an existing DNS infrastructure, you
    should manually create a delegation to this DNS server in the parent zone
    to ensure reliable name resolution from outside the domain
    "example-gcp.com". Otherwise, no action is required.
    

  17. Restart the virtual machine:

    Restart-Computer
    

Testing the installation

  1. Wait 5-10 minutes to make sure that both domain controllers are operational and are replicating information.

  2. Using RDP, connect to the first domain controller instance using the Administrator credentials you defined during the first domain controller installation. Add the domain name as a prefix, as in EXAMPLE-GCP\Administrator.

  3. Open a PowerShell terminal as Administrator.

  4. Test that replication is working:

    repadmin /replsum
    

    The output should resemble the following, with no errors or failures.

    Result of testing replication, showing zero failures

    If the domain controller is not available, you receive a message that resembles the following:

    Beginning data collection for replication summary, this may take awhile:

    .... Source DSA largest delta fails/total %% error

    Destination DSA largest delta fails/total %% error

    If you receive this message, wait a couple of minutes and then retry the command.

Cleaning up

If you don't intend to use the AD environment that you created in this tutorial, go ahead and clean up the resources you created on GCP so you won't be billed for them. The following sections describe how to delete or turn off these resources.

Deleting the project

The easiest way to eliminate billing is to delete the project you created for the tutorial.

To delete the project:

  1. In the Cloud Platform Console, go to the Projects page.

    Go to the Projects page

  2. In the project list, select the project you want to delete and click Delete project. After selecting the checkbox next to the project name, click
      Delete project
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

Deleting instances

To delete a Compute Engine instance:

  1. In the Cloud Platform Console, go to the VM Instances page.

    Go to the VM Instances page

  2. Click the checkbox next to the instance you want to delete.
  3. Click the Delete button at the top of the page to delete the instance.

Deleting VPC networks

To delete the VPC network, subnets, and firewall rules:

  1. In the Cloud Platform console, go to the VPC networks page.

    Go to VPC networks page

  2. Select the VPC network you created.

  3. Click the Delete button at the top of the page.

What's next

Send feedback about...