Extending Active Directory to GCP

Editor’s note: This post was originally written for the Blue Medora blog. You can check out the original here.

For about 20 years now, Microsoft Active Directory has been the dominant directory service controlling user access to IT resources. IT administrators have probably all heard of someone complaining about lacking access to a desktop or server.

But just a few years ago, that problem was much easier to solve than it is now. With changes in IT environments, managing Active Directory has gotten more challenging.

In 2017, Google saw that almost half of VM migrations to Google Cloud Platform (GCP) were from organizations running Windows. So it’s clear that moving from Windows workloads to GCP has grown in popularity.

In this post, you’ll get an overview of how to go about implementing Microsoft Active Directory on GCP. You’ll also learn some things to think about during your implementation. So let’s get to it!

On-Prem AD Separation Worries

Active Directory offers a centralized platform for managing user access to Windows applications, systems, and networks. It’s allowed IT administrators the ability to enable access for the right user to the right resource at the right time.

Active Directory components usually get installed on servers in an organization’s colocation or data center. But as IT environments have gotten more complex, this situation has changed.

Those servers that used to be installed on-prem are moving to cloud providers like GCP. In some cases, Windows applications installed on these on-prem servers are being rewritten into SaaS applications to run on Google App Engine.

IT administrators now have to manage Active Directory with some servers on-prem and others in GCP. You must manage applications running in the cloud separate from user authentication servers on-prem. So how do you do it?

Active Directory on GCP Deployment Options

When implementing Active Directory on GCP, you have a number of deployment options you can utilize to leverage GCP. To move your users, groups, and other data in Active Directory to GCP you have one big decision to make. Do you want to self-deploy Active Directory on GCP or use Google’s Managed Active Directory service?

Trust Your-“Self”

When you decide to deploy Active Directory on GCP yourself, you get to make many of the decisions on how things will be implemented. But wait…there’s more.

You have many ways to self-deploy Active Directory on GCP. All involve a hybrid deployment with your on-prem Active Directory. And you’ll need to pick one.

1. Keep Active Directory On-Prem

You can decide to keep your Active Directory servers and services in your data center. You want to be able to continue managing them. With this option, in order to get Active Directory on GCP, it will require that you utilize Google Cloud VPN or Cloud Interconnect services. This will allow you to connect your on-prem infrastructure directly to GCP via its hybrid connectivity services.

In this scenario, your infrastructure is connected to GCP through a high-speed, non-internet private connection. This could be done relatively quickly.

With your applications hosted on GCP, each time they need to authenticate a user or require a hostname lookup, that request will be sent over GCP’s network connection to your on-prem infrastructure. Active Directory is very chatty due to using chatty protocols like SMB and NetBIOS. So this will cause an increase in latency for your applications.

If increased latency is a problem, you definitely need to monitor it. But you should also probably consider another option.

2. Add Read-Only Domain Controller

One step beyond the above option is to implement a Read-Only Domain Controller (RODC) on GCP. You then replicate some user passwords on your on-prem Active Directory DC to the one you have on GCP. This will allow your applications to stay within GCP when some of these users need to log in.

You need to watch out for RODC compatibility. You’ll have to ensure that your Windows-based applications support RODC. Also, some Active Directory operations will still need to go back to the on-prem Active Directory, especially if you didn’t replicate any user passwords to GCP.

3. Full-Copy Active Directory on GCP

This option is where you implement an exact copy of your on-prem Active Directory services on GCP. You have a full, writable version of your organization’s Active Directory, and all operations occur within GCP. In this setup, your applications can perform low-latency operations. Also, your GCP Active Directory infrastructure can have high availability, if implemented.

A drawback is that if your organization is large, you likely have implemented the best practice of having multiple domains. You’ll need to deploy as many domains as you have in on-prem as in GCP. This could drastically increase your cloud costs, which is obviously not ideal.

4. New Active Directory Domain on GCP

If you’re part of a large organization with multiple domains, this option is a workaround to the above. You implement a completely new Active Directory domain on GCP. Next, you use Active Directory trusts to allow your on-prem Active Directory to trust and exchange data with your GCP Active Directory.

In this setup, you don’t need to create multiple domains on GCP. Your GCP Active Directory has a two-way trust, if you set it up that way, with your on-prem Active Directory. Your applications running on GCP will be able to stay within GCP to utilize Active Directory services for its users.

For Your Consideration

If you’ve chosen the self-deployment route, you need to consider a few things:

Avoid disaster—Consider turning your Active Directory on GCP into a failover for your on-prem Active Directory. This will ensure users on your on-prem Active Directory can still authenticate and access applications even during an on-prem failure. You want fault tolerance in your hybrid deployment.

Plan for high availability—While you may have on-prem failover to GCP, you should also consider what happens if a GCP domain controller goes down. You should have not only multiple Active Directory domain controllers on GCP, but they should be implemented in separate GCP zones. You can have one Active Directory in zone us-east1-b and another in zone us-east1-c. This ensures availability if one goes down.

Use static IPs—Because of the chatty nature of Active Directory, you can afford little hiccups with service availability. Give your domain controllers static IPs to avoid any IP renewal at inconvenient times. Also, don’t use preemptible VMs. While that will reduce your cloud costs, your DC could be rebooted at the worst time.

Open up ports—Don’t forget to get approval to open up ports on your firewall. Active Directory makes use of lots of ports. All options above require opened ports for protocols like SMB (tcp/445), DNS (udp/53), or Kerberos (tcp/88).

Implement one site per region—In a large organization with multiple sites, you want to consider having one Active Directory Site per region. This will improve the performance of your applications that have moved to GCP. Applications in a particular region will go to the closest DC in its region to get low latency for application users.

Trust Your Google

At its Next ‘19 conference, Google announced its Managed Service for Active Directory. This service promises to alleviate all the headaches that come with self-deploying Active Directory on GCP. For example, with self-deployment, you obviously have more control. You decide how many VM instances you need, you monitor the infrastructure, you manage the capacity of everything, and you control all the costs of doing this.

The problem? Those very same things.

Maybe you don’t want to monitor all instances with Stackdriver yourself. You don’t want to decide how many VM instances you need for Active Directory. The Google Managed Active Directory service can help with those things. You get help with reduced operational support, increased security, and increased resiliency.

The Long and Short of It

With many organizations moving their Windows workloads to GCP, you’re not the only one that would be moving to Active Directory on GCP. As noted above, there are a series of options of how you can go about implementing your on-prem Active Directory on GCP. There are also a number of things to consider to ensure successful Active Directory deployment and operation.

You should also not forget that you need to monitor and log everything in your hybrid deployment. Whether you go with self-deployment or Google’s managed service, the unexpected always happens. You can count on that.

Something will go wrong, and you want to ensure you’re monitoring and logging Active Directory for both on-prem and GCP. This way, you can troubleshoot and get your infrastructure back to normal ASAP.

Scroll to Top