Deploying Microsoft Active Directory Domain Controllers with Advanced Networking Configuration on Google Cloud

This tutorial shows how to configure Microsoft Active Directory domain controllers on Google Cloud, including configuring the network environment, creating and promoting domain controllers, and configuring site replication.

In the tutorial, you do the following:

  • Configure firewall rules that are necessary to support Active Directory.
  • Explore how to integrate Active Directory DNS (Domain Name System) with Google Cloud's internal DNS.
  • Learn how to connect to instances using Remote Desktop through Identity-Aware Proxy (IAP) for TCP Forwarding, allowing the RDP connections to be established even to instances that don't have external IP addresses.

The tutorial assumes you have a fundamental knowledge of Microsoft Windows topics such as Remote Desktop Protocol, DNS, and Active Directory administration. A basic understanding of Google Cloud, including knowledge of Compute Engine and VPC networks, is also helpful.

As the following diagram shows, this tutorial involves configuring two domain controllers for the fictitious domain example.org. You deploy these domain controllers in separate regional subnets, and configure a matching Active Directory site topology to manage domain controller replication. You also configure a private forwarding zone in Cloud DNS, causing Google Cloud's internal DNS to forward DNS queries for example.org to your domain controllers.

two domain controllers deployed in two different regions for
the fictitious domain `example.org`.

Objectives

  • Configure a network environment for Active Directory on Google Cloud, including discrete firewall rules to enable Active Directory traffic.
  • Use a Cloud DNS private forwarding zone to integrate Google Cloud's internal DNS with Active Directory DNS.
  • Deploy Compute Engine instances without external addresses and connect to them using IAP for TCP Forwarding.
  • Deploy a Windows Server instance and promote it to a domain controller.
  • Configure Active Directory Sites & Replication using region-to-region ping time to approximate replication cost.

Costs

This tutorial uses the following billable components of Google Cloud:

To generate a cost estimate based on your projected usage, use the pricing calculator. New Google Cloud users might be eligible for a free trial.

When you finish this tutorial, you can avoid continued billing by deleting the resources you created. For more information, see Cleaning up.

Before you begin

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Compute Engine and Cloud DNS APIs.

    Enable the APIs

  5. Install and initialize the Cloud SDK.

Configuring the network environment

Before you create virtual machine instances, you need to create the VPC network and configure it to host a Microsoft Active Directory environment.

Create the VPC network

You create your VPC network with subnets in two different regions.

  1. In the Cloud Console, go to the VPC networks page:

    GO TO THE VPC NETWORKS PAGE

  2. Click Create VPC network.

  3. For Name, enter example.

  4. For Subnet creation mode, choose Custom.

  5. In the New subnet section, specify the following configuration parameters for the first subnet in us-central1:

    1. For Name, enter example.
    2. For Region, select us-central1.
    3. For IP address range, enter 10.0.0.0/16.
    4. Under Private Google access, select On.

    5. Click Done.

  6. To add another subnet in us-east4, click Add subnet and specify the following configuration parameters:

    1. For Name, enter example.
    2. For Region, select us-east4.
    3. For IP address range, enter 10.1.0.0/16.
    4. Under Private Google access, select On.

    5. Click Done.

  7. Click Create.

Create firewall rules

The next step is to create firewall rules for the network tags used in this tutorial:

  • dc for domain controller ports
  • dns for DNS-related ports
  • rdp for Remote Desktop–related ports

The following table summarizes the tags and related firewall rules used in this tutorial.

Tag Ingress rules Source ranges Notes
dc tcp:88,135,389,445,464,636,3268,3269,49152-65535
udp:88,123,389,464
icmp
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

This rule allows access from all internal addresses, including all three ranges that constitute the RFC 1918 private address space.

For information on the ports allowed in this domain controller firewall rule, see https://support.microsoft.com/en-us/help/832017#method1

dns tcp:53
udp:53
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
35.199.192.0/19

This rule allows access from all internal addresses, including all three ranges that constitute the RFC 1918 private address space.

For information on the ports allowed in this DNS firewall rule, see https://support.microsoft.com/en-us/help/832017#method12

The /19 source range is required in order to allow traffic from Cloud DNS forwarding. For more information, see /dns/zones/#creating-forwarding-zones

rdp tcp:3389 35.235.240.0/20 The /20 source range is required in order to allow traffic from IAP for TCP Forwarding. For more information, see /iap/docs/using-tcp-forwarding#before_you_begin.

Create the domain controller firewall rule

  1. In the Cloud Console, go to the Firewall rules page:

    GO TO THE FIREWALL RULES PAGE

  2. Click Create firewall rule.

  3. For Name, enter example-allow-dc.

    This name must be unique for the project.

  4. For Network, choose example to specify the network where the firewall rule will be implemented.

  5. For Priority, leave the default value, 1000.

    The lower the number, the higher the priority.

  6. For Direction of traffic, choose ingress.

  7. For Action on match, choose allow.

  8. For Targets, choose Specified target tags, and in the Target tags field, enter dc for the tag to which the rule should apply.

  9. For Source filter, choose IP ranges and enter the following CIDR blocks into the Source IP ranges field to define the source for incoming traffic: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

  10. For Protocols and port, choose Specified protocols and ports to define the protocols and ports to which the rule applies:

    1. Select tcp, and enter the following comma-delimited list of ports: 88,135,389,445,464,636,3268,3269,49152-65535.
    2. Select udp, and enter the following comma-delimited list of ports: 88,123,389,464.
    3. Select Other protocols and include icmp.
  11. Click Create.

Create the DNS firewall rule

  1. Click Create firewall rule.
  2. For Name, enter example-allow-dns.

    This name must be unique for the project.

  3. For Network, choose example to specify the network where the firewall rule will be implemented.

  4. For Priority, leave the default value, 1000.

    The lower the number, the higher the priority.

  5. For Direction of traffic, choose ingress.

  6. For Action on match, choose allow.

  7. For Targets, choose Specified target tags, and in the Target tags field, enter dns for the tags to which the rule should apply.

  8. Choose IP ranges for the Source filter, and type the following CIDR blocks into the Source IP ranges field to define the source for incoming traffic: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 35.199.192.0/19.

  9. For Protocols and port, choose Specified protocols and ports to define the protocols and ports to which the rule applies:

    1. Select tcp, and enter the following port: 53.
    2. Select udp, and enter the following port: 53.
  10. Click Create.

Create the Remote Desktop firewall rule

  1. Click Create firewall rule.
  2. For Name, enter example-allow-rdp.

    This name must be unique for the project.

  3. For Network, choose example to specify the network where the firewall rule will be implemented.

  4. For Priority, leave the default value, 1000.

    The lower the number, the higher the priority.

  5. For Direction of traffic, choose ingress.

  6. For Action on match, choose allow.

  7. For Targets, choose Specified target tags, and in the Target tags field, enter rdp for the tags to which the rule should apply.

  8. Choose IP ranges for the Source filter, and then type the following CIDR block into the Source IP ranges field to define the source for incoming traffic: 35.235.240.0/20.

  9. For Protocols and port, choose Specified protocols and ports, select tcp, and then enter the port, 3389.

  10. Click Create.

Configuring a Cloud DNS private forwarding zone

In this section, you configure a private forwarding zone in Cloud DNS to integrate DNS for the example.org Active Directory domain with the Google Cloud default DNS name server.

Create the Cloud DNS private forwarding zone

  1. In the Cloud Console, go to to the Cloud DNS page:

    GO TO THE Cloud DNS PAGE

  2. Click Create zone.

  3. For Zone type, choose private.

  4. For Zone name, enter example-org.

  5. For DNS name, enter example.org.

  6. Select Forward queries to another server to configure forwarding destinations.

  7. For Destination DNS servers, enter the following addresses: 10.0.0.2, 10.1.0.2.

  8. Under Network, choose example to specify the network where the forwarding zone will be applied.

  9. Click Create.

Launching the domain controller instances

In this section, you launch the domain controller instances, one in the us-central1 region using the 10.0.0.2 address, and the other in us-east4 using the 10.1.0.2 address. You configured these earlier in the Cloud DNS private forwarding zone.

Launch the initial domain controller instance in us-central1

  1. In the Cloud Console, go to the VM instances page:

    GO TO THE VM INSTANCES PAGE

  2. Click Create instance and specify dc-1 as the name for your instance.

  3. For Region, select us-central1.

  4. Take note of the Zone value. You need it later.

  5. For Machine type, select 2 vCPUs for the n1-standard-2 machine type.

  6. Under Boot disk, click Change to select your boot disk image, and then do the following:

    1. In the Boot disk dialog, select Windows Server 2019 Datacenter under OS images.
    2. For Boot disk type, select Standard persistent disk.
    3. For Size (GB), specify 50.
    4. Click Select to finalize your boot disk choices.
  7. Expand the Management, security, disks, networking, sole tenancy menu.

  8. Click Networking, and then do the following:

    1. For Network tags, enter the following tags to apply relevant firewall rules to your instance: dc, dns, rdp.
    2. For Networking interfaces, click the icon to edit the default interface.
    3. For Network, select the example VPC network.
    4. For Primary Internal IP, select Reserve static IP address.
    5. In the Reserve a static internal IP address dialog, enter dc-1 for Name.
    6. For Static IP address, select Let me choose.
    7. For Custom IP address, enter 10.0.0.2.
    8. Click Reserve.
    9. For External IP, select None to prevent assignment of an external IP address.
    10. Click Done.
  9. Click Create.

Launch the second domain controller instance in us-east4

  1. In the VM instances page, click Create instance and specify dc-2 as the name for your instance.
  2. For Region, select us-east4.
  3. Take note of the Zone selected here. You need it later.
  4. For Machine type, select 2 vCPUs for the n1-standard-2 machine type.
  5. Under Boot disk, click Change to select your boot disk image.
    1. In the Boot disk dialog, under OS images, select Windows Server 2019 Datacenter.
    2. For Boot disk type, select Standard persistent disk.
    3. For Size (GB), specify 50.
    4. Click Select to finalize your boot disk choices.
  6. Expand the Management, security, disks, networking, sole tenancy menu.
  7. Click Networking.
    1. For Network tags, enter the following tags to apply relevant firewall rules to your instance: dc, dns, rdp.
    2. For Networking interfaces, click the icon to edit the default interface.
    3. For Network, select the example VPC network.
    4. For Primary Internal IP, select Reserve static IP address.
    5. In the Reserve a static internal IP address dialog, enter dc-2 for Name.
    6. For Static IP address, select Let me choose.
    7. For Custom IP address, enter 10.1.0.2.
    8. Click Reserve.
    9. For External IP, select None to prevent assignment of an external IP address.
    10. Click Done.
  8. Click Create.

Connecting to an instance using IAP for TCP Forwarding

Recall that you launched the Domain Controller instances without external IP addresses. Therefore, those instances aren't directly addressable on the internet. In order to establish a Remote Desktop connection, you can use Identity-Aware Proxy (IAP) for TCP Forwarding to create a secure tunnel between a local port and the Remote Desktop port, 3389, on the target instance. Using IAP for TCP Forwarding allows secure administrative connections without exposing your instances to the internet.

To enable port forwarding between a local port over a secure tunnel to a target instance and port in Google Cloud, you use the start-iap-tunnel command, which has the following syntax:

gcloud beta compute start-iap-tunnel instance-name instance-port \
    --local-host-port=localhost:local-port \
    --zone=zone \
    --project=project-id

Where:

  • instance-name is the name of the instance to operate on.
  • instance-port is the name or number of the instance's port to connect to.
  • local-port is the port to which the proxy is bound. If you don't specify a value, a random port is assigned for you.
  • zone is the zone of the instance to operate on.
  • project-id is the Google Cloud project to use for this invocation.

For example, to enable RDP tunneling from local port 53389 to your first domain controller, dc-1:

  • From your local command prompt, configure IAP for TCP Forwarding:

    gcloud beta compute start-iap-tunnel dc-1 3389 \
        --local-host-port=localhost:53389 \
        --zone=zone \
        --project=project-id
    

    Where:

    • zone is the zone in the us-central1 region where dc-1 is deployed.
    • project-id is the project ID you chose for this tutorial.

    As the gcloud tool initializes the tunnel for TCP forwarding, you see output similar to the following:

    Testing if tunnel connection works.
    Listening on port [53389].
    

    You now have a local port (53389) that tunnels through IAP to the RDP port (3389) on dc-1. Before connecting to dc-1, you must obtain local user credentials.

Get local user credentials for dc-1

  1. In the Cloud Console, go to the VM Instances page:

    GO TO THE VM INSTANCES PAGE

  2. In the Name column, click the name of your virtual machine instance.

  3. In the Remote Access section, click Set Windows Password.

  4. Specify a username, and then click Set to generate a new password for this Windows instance. Save the username and password to log in to the instance.

Establish the RDP connection to dc-1

  1. Using your Remote Desktop client of choice, connect to dc-1 by specifying localhost or 127.0.0.1 for the remote address and 53389 as the remote port.
  2. When you're prompted, enter the username and password you created in the previous procedure.

When you later disconnect from the instance, you must press Control+C to cancel the gcloud beta compute start-iap-tunnel command and close the tunnel.

Promoting the initial domain controller

After connecting to dc-1, you can work in your RDP windows to enable the local administrator account, install Active Directory Domain Services, and configure the instance as a domain controller in a new Active Directory forest.

Enable the local administrator user

  1. In dc-1, open Server Manager, and then select the menu item Tools > Computer Management.
  2. In the left-hand navigation pane, under Computer Management (Local) > System Tools, expand Local Users and Groups, and then select the Users folder.
  3. Right-click Administrator, and then select Set Password.
  4. In the Set Password for Administrator dialog, click Proceed.
  5. Enter and confirm a strong password, and then click OK twice.

  6. Right-click Administrator, and then select Properties.

  7. On the General tab, clear Account is disabled.

  8. Click OK.

  9. Close Computer Management.

Install Active Directory Domain Services

  1. In dc-1, open Server Manager, and select the menu item Manage > Add Roles and Features.
  2. In the Before You Begin page, click Next.
  3. In the Installation Type page, click Next.
  4. In the Server Selection page, click Next.
  5. In the Server Roles page, under Roles, select Active Directory Domain Services.
  6. In the Add Roles and Features Wizard popup, click Add Features.
  7. Click Next.
  8. In the Features page, click Next.
  9. In the AD DS page, click Next.
  10. In the Confirmation page, click Install.
  11. After installation completes, click Close.

Configure dc-1 as a domain controller

  1. Click the Notifications flag icon at the top of the Server Manager window.
  2. In the Post-deployment Configuration notification, click Promote this server to a domain controller.
  3. In the Active Directory Domain Services Configuration Wizard, under Select the deployment operation, choose Add a new forest.
  4. For Root domain name, enter example.org.
  5. Click Next.
  6. In the Domain Controller Options page, enter and confirm a strong password for the Directory Services Restore Mode (DSRM) password.

  7. Click Next.

  8. In the DNS Options page, click Next.

  9. In the Additional Options page, click Next.

  10. In the Paths page, click Next.

  11. In the Review Options page, click Next.

  12. In the Prerequisites Check page, after the checks complete, click Install.

    Because the instance automatically restarts after installation, you are disconnected from your RDP session.

Configuring Active Directory sites and replication

In this section, you reconnect to dc-1 to configure Active Directory sites and replication, this time using domain administrator credentials.

Configure Active Directory sites

  1. Connect to dc-1 as before by using the local forwarding port, but this time use domain administrator credentials:
    1. For Username, enter example\administrator.
    2. For Password, enter the password you previously assigned to the local administrator account on dc-1.
  2. In Server Manager, select the menu item Tools > Active Directory Sites and Services.
  3. In the left-hand navigation pane, under Active Directory Sites and Services, right-click Sites, and then select New Site.
  4. For Name, enter GCP-us-central1.
  5. Under Select a site link object for this site, select DEFAULTIPSITELINK.
  6. Click OK twice.
  7. Repeat steps 3–6 to create a similar site named GCP-us-east4.
  1. In the left-hand navigation pane, under Active Directory Sites and Services > Sites, expand Inter-Site Transports.
  2. Right-click IP, and then choose New Site Link.
  3. For Name, specify GCP-us-central1-us-east4.
  4. Under Sites not in this site link, highlight both GCP-us-central1 and GCP-us-east4.
  5. Click Add to move the sites into Sites in this site link.
  6. Click OK.
  7. In the left-hand navigation pane, under Active Directory Sites and Services > Sites > Inter-Site Transports, select IP.
  8. Right-click the new site link GCP-us-central1-us-east4, and then choose Properties.
  9. For Cost, enter 250.

  10. For Replicate Every, enter 15 minutes.

  11. Click OK.

Configure subnets for Active Directory sites

  1. In the left-hand navigation pane, under Active Directory Sites and Services > Sites, right-click Subnets, and then select New Subnet.
  2. For Prefix, enter 10.0.0.0/16.
  3. Under Site Name, select GCP-us-central1.
  4. Click OK.
  5. Repeat steps 1–4 to create a similar subnet for 10.1.0.0/16 and site GCP-us-east4.

Add dc-1 to the appropriate site (GCP-us-central1)

  1. In the left-hand navigation pane, under Active Directory Sites and Services > Sites, expand Default-First-Site-Name > Servers, and expand GCP-us-central1.
  2. Drag dc-1 from Default-First-Site-Name > Servers to GCP-us-central1 > Servers.
  3. In the Active Directory Domain Services confirmation dialog, click Yes.

Promoting additional domain controllers

Following the steps outlined previously in Connecting to an instance using IAP for TCP Forwarding, you connect to dc-2 using a different local forwarding, such as port 53390. After connecting to dc-2, you then enable the local administrator user and install Active Directory Domain Services by following the steps outlined for dc-1. After you perform these steps, you'll be able to configure dc-2 as a domain controller.

Configure dc-2 as a domain controller

  1. Click the Notifications flag icon at the top of the Server Manager window.
  2. In the Post-deployment Configuration notification, click Promote this server to a domain controller.
  3. In the Active Directory Domain Services Configuration Wizard, under Select the deployment operation, choose Add a domain controller to an existing domain.
  4. For Domain, enter example.org.
  5. Under Supply the credentials to perform this operation, click Change.
  6. In the Windows Security dialog, specify your domain administrator credentials:
    1. For Username, enter example\administrator.
    2. For Password, enter the password you previously assigned to the local administrator account on dc-1.
  7. Click OK to close the dialog.
  8. Click Next.
  9. In the Domain Controller Options page, under Site name, verify that GCP-us-east4 is selected.

  10. Enter and confirm a strong password for the Directory Services Restore Mode (DSRM) password.

    You can use the same DSRM password that you specified for dc-1. In any case, remember this password. It can be useful if you need to repair or recover your domain.

  11. Click Next.

  12. In the DNS Options page, click Next.

    You might see the warning, A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found. You can disregard this warning because the forwarding zone in the preceding Cloud DNS configuration serves the same purpose as the delegation mentioned in the warning.

  13. In the Additional Options page, click Next.

  14. In the Paths page, click Next.

  15. In the Review Options page, click Next.

  16. In the Prerequisites Check page, after the checks complete, click Install.

Testing the Active Directory configuration

Test the domain controller configuration by launching a new test instance into the environment and joining it to the domain.

Launch the test instance us-central1

  1. In the Cloud Console, go to the VM instances page:

    GO TO THE VM INSTANCES PAGE

  2. Click Create instance and specify test-1 as the name for your instance.

  3. For Region, select us-central1.

  4. Take note of the Zone value. You need it later.

  5. For Machine type, select 2 vCPUs for the n1-standard-2 machine type.

  6. Under Boot disk, click Change to select your boot disk image, and then do the following:

    1. In the Boot disk dialog, under OS images, select Windows Server 2019 Datacenter.
    2. Under Boot disk type, select Standard persistent disk.
    3. For Size (GB), specify 50.
    4. Click Select to finalize your boot disk choices.
  7. Expand the Management, security, disks, networking, sole tenancy menu.

  8. Click the Networking section header, and then do the following:

    1. Enter the following Network tags to apply relevant firewall rules to your instance, rdp
    2. Under Networking interfaces, click the icon to edit the default interface.
    3. Under Network, select the example VPC network.
    4. For External IP, select None to prevent assignment of an external IP address.
    5. Click Done.
  9. Click Create.

Connect to the test instance

In this section, you get credentials for a local user on test-1 and then connect to the test instance server.

Get credentials for a local user on test-1

  1. In the Cloud Console, go to the VM Instances page:

    GO TO THE VM INSTANCES PAGE

  2. In the Name column, click the name of your virtual machine instance, test-1.

  3. In the Remote Access section, click Set Windows Password.

  4. Specify a username, and then click Set to generate a new password for this Windows instance. Save the username and password to log in to the instance.

Connect to the test instance server test-1

  1. At your local command prompt, start a tunnel using IAP and the gcloud tool:

    gcloud beta compute start-iap-tunnel test-1 3389 \
        --zone=zone \
        --project=project-id
    

    Where:

    • zone is the zone in the us-central1 region where test-1 is deployed.
    • project-id is the project ID you chose for this tutorial.

    As the gcloud tool initializes the tunnel for TCP forwarding, you see output similar to the following:

    Testing if tunnel connection works.
    Listening on port [17148].
    
  2. Use your preferred Remote Desktop client to connect to localhost (127.0.0.1) on the port specified in the output of the previous command. It might be different than the example port 17148.

  3. When prompted for credentials, enter the username and password for the local user from the previous procedure.

Join the test instance to the domain

  1. In the Remote Desktop window, join the instance to the example.org domain. Click Local Server in the left-hand navigation pane of the Server Manager window.
  2. Under Properties For test-1, click the WORKGROUP link.
  3. On the Computer Name tab of the System Properties dialog, click Change.
  4. In the Member of section, select Domain, and then enter example.org.
  5. Click OK.
  6. When prompted for credentials, specify example\administrator along with the previously chosen domain administrator password, and click OK.
  7. Click OK, OK, Close, and finally Restart Now.

Verify domain membership and the active domain controller

  1. Wait a moment for the server to restart. The tunnel for RDP will still be active.
  2. Reconnect to the instance using RDP, but this time enter domain administrator credentials, for example, example\administrator with the domain administrator password.
  3. Verify the active domain controller by running the following command in a Command Prompt window:

    echo %logonserver%
    

    You see output similar to the following, identifying dc-1 as the active domain controller.

    \\DC-1
    

    If you're interested in exploring the DNS-based failover behavior of domain controllers, follow these steps:

    1. Sign out from test-1 (be sure to sign out, not simply disconnect).
    2. Stop dc-1, and then log in to test-1 again after dc-1 stops.

      This next login might take longer than usual, but after logging in, if you rerun echo %logonserver%, you can see that \\DC-2 has become the active domain controller.

Cleaning up

To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

Delete the project

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next