arrow_back

Managed Service for Microsoft Active Directory

Join Sign in

Managed Service for Microsoft Active Directory

1 hour 30 minutes 5 Credits

GSP847

Google Cloud self-paced labs logo

Overview

Managed Service for Microsoft Active Directory (AD) is a highly available, hardened Google Cloud service running actual Microsoft AD that enables you to:

  • Manage authentication and authorization for your AD-dependent workloads

  • Automate AD server maintenance and security configuration

  • Connect your on-premises AD domain to the cloud

Prerequites

You will need a working RDP client for this lab.

Setup and Requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

  1. Click Activate Cloud Shell Activate Cloud Shell icon at the top of the Google Cloud console.

  2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. The output contains a line that declares the PROJECT_ID for this session:

Your Cloud Platform project in this session is set to YOUR_PROJECT_ID

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

  1. (Optional) You can list the active account name with this command:

gcloud auth list

Output:

ACTIVE: * ACCOUNT: student-01-xxxxxxxxxxxx@qwiklabs.net To set the active account, run: $ gcloud config set account `ACCOUNT`
  1. (Optional) You can list the project ID with this command:

gcloud config list project

Output:

[core] project = <project_ID>

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

To set the default region and zone in your local client, run the following command:

gcloud config set compute/region us-central1

Provision a domain

For a this lab, provision domain using the Google Cloud Marketplace.

Select Microsoft Active Directory deployment Add a Domain DNSName

gcpnext.com

The rest of the settings can use the defaults.

A Deployment Manager script will be initiated resulting in two AD servers.

NOTE: The details for the Active Directory can be seen in Deployment Manager
Field Value
AD Domain Name gcpnext.com
Service Account Username adsetup_sa
Service Account Password **********
Domain Controller 1 msad-1-ad-1
Domain Controller 2 msad-1-ad-2

The AD servers will use a custom VPC network (i.e. msad-1-net) with the following settings:

NAME Zone Internal IP
msad-1-ad-1 us-central1-f 10.0.0.100
msad-1-ad-2 europe-west1-b 10.1.0.100

Also note that the VPCs are defined in multiple regions.

If you were to create a domain on your own, you need the following information:

A delegated administrator account username. You can define this username or use the default, setupadmin. Note that this username cannot be changed after domain creation.

Then you would run the following command to create your domain (don't do this now):

gcloud active-directory domains create fully-qualified-domain-name \ --reserved-ip-range=cidr-range --region=region \ --authorized-networks=vpc-network-name

Click Check my progress to verify the objective. Provision a domain

Create a Windows VM

Start by creating a Windows Server virtual machine (VM) that will be connected to the domain. Your VM needs to be created in the same region as the domain, and be on the same network.

In the Cloud Console, from the Navigation menu, go to Compute Engine. You will see the domain listed. Click Create instance.

Field Value
Region us-central1
Zone us-central1-a
Machine type n1-standard-2

In the Boot disk section, click Change to begin configuring your boot disk.

On the Public images tab, in the Operating System dropdown, choose Windows Server. In the Version dropdown, choose Windows Server 2019 Datacenter.

Click Select.

In the Firewall section, select Allow HTTP traffic and Allow HTTPS traffic.

Your screen should look like this:

createinstance.png

  • Your VM instance has a public IP address.
  • Your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.

Click the Networking, Disks, Security, Management, Sole tenancy.

Click the Networking tab.

Add Network tags:_ msad-1-tcp-3389

In the Network Interface click default, use the dropdown arrow to select the network that starts with msad-1-net

  • Type in a custom ephemeral IP address, like 10.0.0.3.
  • Click Done.

Click Create to create the instance.

Click Check my progress to verify the objective. Create a Windows VM

Test the status of Windows Startup

After a short time, the Windows Server instance will be provisioned and listed on the VM Instances page with a green status icon Green Status Icon.

However, the server instance may not yet be ready to accept RDP connections, as it takes a while for all the OS components to initialize.

To see whether the server instance is ready for an RDP connection, run the following command at your Cloud Shell terminal command line:

gcloud compute instances get-serial-port-output instance-1 --zone us-central1-a | grep "Instance setup finished"

If prompted, type n and press Enter.

Repeat the command until you see the following in the command output, which tells you that the OS components have initialized and the Windows Server is ready to accept your RDP connection (attempt in the next step).

------------------------------------------------------------ Instance setup finished. instance-1 is ready to use. ------------------------------------------------------------

RDP into the Windows Server

To set a password for logging into the RDP, run the following command in Cloud Shell terminal and replace [instance] with the VM Instance that you have created and set [username] as admin.

gcloud compute reset-windows-password [instance] --zone us-central1-a --user [username]

If asked Would you like to set or reset the password for [admin] (Y/n)?, enter Y.

Click Check my progress to verify the objective. Set a password for the windows server for logging into the RDP

NOTE: Save this password as it will be used to connect to the Windows server

There are different ways to connect to your server through RDP, depending on whether you are on Windows or not:

If you are using a Chromebook or other machine at a Google Cloud event there is likely an RDP app already installed on the computer. Click the icon as below, if it is present, in the lower left corner of the screen and enter the external IP of your VM.

rdp_win.png

If you are not on Windows but using Chrome, you can connect to your server through RDP directly from the browser using the Chrome RDP for Google Cloud Platform extension. Click on RDP.

rdp_prev.png

This will prompt you to install Chrome RDP Extension.

Once it is installed, it will open up a login page. Type in the following credentials:

Field Value
Username admin
Password The Window Server password

In the resulting RDP session, if Windows asks you whether you want this machine to be discoverable by other machines on its network, click No.

Copy and paste with the RDP client

Once you are securely logged in to your instance, you may find yourself copying and pasting commands from the lab manual.

  • To paste, hold the CTRL-V keys (if you are a Mac user, using CMND-V will not work.)
  • If you are in a Powershell window, be sure that you have clicked in to the window or else the paste shortcut won't work.
  • If you are pasting into putty, right click.

Connecting to a Managed Microsoft AD domain

You can connect to your domain with Remote Desktop Protocol (RDP). For security reasons, you cannot use RDP to connect directly to a domain controller. Instead, you can use RDP to connect to a Compute Engine instance, and then use the standard AD Manageability tools to work remotely with your AD domain.

To set a password for logging into the RDP, run the following command in Cloud Shell terminal and replace [instance] with the VM Instance that you have created and set [username] as admin.

gcloud compute reset-windows-password msad-1-ad-1 --zone us-central1-f --user admin

If asked Would you like to set or reset the password for [admin] (Y/n)?, enter Y.

Click Check my progress to verify the objective. Set a password for 'msad-1-ad-1' vm for logging into the RDP

NOTE: Save this password as it will be used to connect to the Windows server

Connect using the External IP address of the msad-1-ad-1 AD server.

Field Value
Username admin
Password As per reset above

In the resulting RDP session, if Windows asks you whether you want this machine to be discoverable by other machines on its network, click No.

Test Network Connectivity

Now you can test network connectivity between the Windows Server and the AD domain server.

Windows VM

Open a Windows Powershell on the Windows Server.

Test connectivity using Ping to confirm the Windows Server can connect to the AD Domain.

ping 10.0.0.100

The ping should receive a response and indicate no packet loss experienced.

Window AD

Now open a Windows Powershell on the Windows AD server. Test connectivity using Ping to confirm the Windows Server can connect to the AD Domain.

ping 10.0.0.3

You should receive a response that indicates no packet loss experienced.

Configure the AD domain server

On the Windows AD:

  • Open the Control Panel
  • Select System and Security
  • In the System setting, click "See the name of this computer"

On the screen you will see the Computer name and that it is part of a domain called gcpnext.com

Configure the Windows VM

On the Windows Instance/VM

  • Open the Control Panel
  • Select the Network and Internet
  • Click the Network and Sharing Center
  • Click View network status and tasks
  • Click the Ethernet link
  • Select the Properties button
  • Select the Internet Protocol Version 4 (TCP/IPv4) and click the Properties button
  • Amend the DNS server address to point to the AD Server i.e. 10.0.0.100
  • Click OK

Select System and Security.

In the System setting, click See the name of this computer.

The computer setting will indicate this computer is part of WORKGROUP.

  • Click the change setting option
  • Select the Change button
  • On the following screen, amend the Member of to Domain
  • Add gcpnext.com as the domain name
  • Click OK

The host will then require an account permission - enter the Window AD Username and Password.

A "Welcome to the gcpnext.com" message will be shown. The Windows VM will now need to be rebooted to use the updated settings.

Log in to the Windows server:

Field Value
Username admin
Password The Window Server password

In the Control panel:

Select System and Security. In the System setting, click See the name of this computer.

The computer setting will indicate this computer is part of gcpnext domain.

Congratulations!

Over this course of this lab, you have seen how to add a Windows VM to a Windows AD domain.

  • Provision AD Servers using the Google Cloud Marketplace
  • Deploy a Windows virtual machine
  • Update DNS Settings for a Windows VM instance
  • Add a Windows virtual machine to a domain

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated July 27, 2022
Lab Last Tested July 27, 2022

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.