Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Last Updated: Mar 27, 2024

Managed Service for Microsoft Active Directory

Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Speaker
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM

Introduction

Directories are hierarchical structures that store information about a network. Microsoft Active Directory Domain Services provides various methods to store data about directories and avail it to network administrators and users. Active Directory objects could be resources like servers or user accounts. Security is integrated with Active Directory authentication and access control. Managed Service for Microsoft AD is a service that enables users to manage authorisation and authentication and automate maintenance and security configurations. It also helps connect the on-premises AD domain to the cloud.

Creating a domain with Managed Service for Microsoft AD

A Microsoft AD object can be a single user, a group or any hardware component, such as a computer or printer. Each domain holds object identity information as a database. Following are the steps to create a domain with Managed Service for Microsoft AD.

Step 1: Select an existing project or create a new one.

Step 2: Enable Managed Microsoft ADCloud DNS, and Compute Engine APIs.

Step 3: Create a new Virtual Private Cloud Network or use an existing one to deploy the domain. It should be of the following format.

projects/PROJECT_ID/global/networks/VPC_NETWORK_NAME

Collect the following details before proceeding any further.

  • A fully qualified domain name.
     
  • A private CIDR IP range that is not used by any VPC's subnetworks.
     
  • region to deploy the domain controller.
     
  • delegated administrator account username.
     

Step 4: Go to the Managed Microsoft AD page and click on Create new AD domain.

Step 5: Enter the collected information on the Create new Domain page. 

Step 6: Click on Create domain.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Joining a Windows VM to a domain

This requires an account with the necessary permissions to join a VM to the domain. It is granted to all Cloud Service Domain Join Accounts group members by default. Active Directory Federation Services (AD FS)  requires each computer that functions as a federation server to be joined to a domain.

Installing RSAT

Step 1: Create a Windows VM and connect to it using RDP or Powershell.

Step 2: Open the Add Roles and Features Wizard on the Windows VM page.

Step 3: Navigate to the Select Features page.

Step 4: Under Remote Server Administration Tools, expand Role Administration Tools.

Step 5: Select AD DS and AD LDS Tools.

Step 6: Close the Wizard.

Joining VM to a domain

This requires an account with a domain name, username and password to join a VM to the domain. By default, This permission is granted to all Cloud Service Domain Join Accounts group members. Active Directory Federation Services (AD FS)  requires each computer that functions as a federation server to be joined to a domain.

Delegated administrator account 

A delegated administrator account is used to manage a domain. Users can use this account to manage Active Directory objects and other service administrators. It also allows the use of standard Active Directory tools. The delegated administrator account has a default name called setupadmin. Users can specify custom usernames during the creation of a domain and cannot be changed after creation. We can retrieve the delegated administrator account’s name by checking the Admin name for a domain specified under FQDN on the Managed Microsoft AD page.

Existing passwords cannot be retrieved if the user forgets the password for the account. Resetting the passwords requires the Google Cloud Managed Identities Admin or the Google Cloud Managed Identities Domain Admin roles. The password of a delegated administrator account expires every 42 days. Fine-grained password policies can be used to disable password expiration. A user must be a member of the Cloud Service Fine Grained Password Policy Administrators group to be able to disable password expiration.

Create a group Managed Service Account 

The primary group Managed Service Account is used whenever apps run as a System or a Network Service access resources on the network. Creating a gMSA also creates a shared identity that can be used across many different machines simultaneously. New gMSAs should be created under the Managed Service Accounts organisational unit.

Creating a gMSA in a domain for the first time requires generating a Key Distribution Service (KDS) root key. A KDS root key is created automatically while creating a domain by the Managed Microsoft AD; hence, it can be skipped. The KDS root key can be viewed using the help of the Active Directory Sites and Services tool.

Step 1: Launch the Active Directory Sites and Services tool in Windows. Enter dssite.msc in the RUN command dialog box.

Step 2: Select the View tab in the Active Directory Sites and Services tool.

Step 3: Select Show Services Node.

Step 4: Select ServicesGroup Key Distribution ServiceMaster Root Keys. Select a key to view its details. 

Connect to a Managed Microsoft AD domain

Remote Desktop Protocol can be used to connect to a domain for Windows, but not directly. We can use RDP to connect to a Compute Engine instance and the standard AD Manageability tools to work remotely with the AD domain.

There are a few open source options for managing Active Directory interoperation with Linux.

  • Using System Security Services Daemon (SSSD) to manage Active Directory interoperation.
     
  • Winbind uses Microsoft Remote Procedure Calls to interact with Active Directory, similar to a Windows client. 
     
  • OpenLDAP is a suite of LDAP applications.

Create trust with an on-premises domain 

Trust is a relationship between domains. A one-way trust is a unidirectional authentication path created between two domains. A two-way trust is a bidirectional authentication path created between two domains. Trust and access flow in both directions. Let us briefly see how to create a trust relationship between on-premises domains and a Managed Microsoft AD domain.

Configurations

Step 1: Verify the network connectivity between the on-premises network and the Google Cloud Virtual Private Cloud.

Step 2: Configure the ingress/egress ports to allow Active Directory trust connectivity.

Configuring the DNS conditional forwarders allows users to provide hints for forwarding unresolvable requests to different DNS servers. We can check for an inbound forwarding policy or create a new one on the Cloud DNS page. 

Step 3: Obtain the DNS IP addresses for the Managed Microsoft AD domain from the Cloud DNS Policy.

Step 4: Configure the DNS conditional forwarders on the on-premises domain. To do this, open the DNS Manager and navigate to the DNS server of the domain to configure the trust. Right-click Conditional Forwarders and select New conditional forwarder.

Setting up the Trust

Configuring the on-premises domain

Log in to an on-premises domain controller using an administrator account.

Step 1: Open Active Directory Domains and Trusts. Right-click the domain and select Properties.

Step 2: Select New trust in the Trust tab.

Step 3: In the New Trust Wizard, enter the FQDN of the Managed Microsoft AD domain as the Trust Name and select Forest Trust as the Trust type.

Step 3: Set the Direction of Trust to One-way incoming or Two-way.

Step 4: Select Forest-wide authentication for the Outgoing Trust Authentication Level.

Step 5: Enter the Trust Password. And click on Next.

Step 6: In the Trust Creation Complete window, Select No, do not confirm the outgoing trust and  No, do not confirm the incoming trust.

Step 7: Click on Finish.

Configuring the Managed Microsoft AD domain

Step 1: Go to the Managed Microsoft AD page in the console.

Step 2: Select the domain and then select Create Trust.

Step 3: Set the Trust type to Forest.

Step 4: Enter the FQDN of the on-premises domain as the Target domain name.

Step 5: Set the  Trust direction to Outbound or Bidirectional.

Step 6: Enter the trust password created while configuring the trust on the on-premises domain.

Step 7: Enter the on-premises DNS IP addresses obtained during the DNS Conditional Forwarder IPs setup.

Step 8: Click on Create Trust Relationship.

Managing Active Directory objects 

After creating a Managed Microsoft AD domain and connecting it to a Windows VM, go to the Active Directory Users and Computers console. Expand the domain name after selecting it. To manage the objects, we can use the Organizational Units (OUs) provided by Managed Microsoft AD. A user can update only some attributes of the objects in the Cloud Service Objects OU despite having complete control.

Cloud and Cloud Service Objects are the two types of Organisational Units provided by Managed Microsoft AD. Cloud is created to host all AD objects. Users are granted full administrative access to this OU to create users, groups and other sub-OUs. Cloud Service Objects hosts AD objects created and managed by Managed Microsoft AD. Users can only update some attributes, and objects can be made only by Google Cloud.

Deploy an Active Directory resource forest 

The main steps involved in deploying an active directory resource forest are as follows.

  1. Setting up a Shared VPC to access Managed Microsoft AD from multiple projects.
     
  2. Configuring firewall rules to control access to Active Directory from unauthorised sources.
     
  3. Deploying Managed Microsoft AD in a single region and connecting it to an existing Shared VPC.
     
  4. Creating a management VM and joining it to the domain.
     
  5. Using a delegated administrator to connect to the Managed Microsoft AD.
     

The first step requires a Shared VPC and three separate subnets:

  • A Managed Microsoft AD subnet to run domain controllers.
     
  • A Management subnet that contains machines to manage the Active Directory.
     
  • Resource subnets have Active Directory member servers where each resource subnet is set for a single region.
     

Creating separate projects for management and servers is often considered a best practice. So, we have a VPS host project that contains the Shared VPC configuration and a Management project to manage the Active Directory. Using a Shared VPC requires Google Cloud Organisations. It also requires the following IAM Roles.

  • Organisational Admin
  • Shared  VPC Admin
  • Network User

Check out Microsoft Interview Experience to learn about their hiring process.

Frequently Asked Questions

What are the features enabled by AD DS and AD LDS Tools?

AD and DS tools enable the Active Directory module for Windows PowerShell, AD LDS Snap-Ins, Command-Line Tools, and the Active Directory Administrative Center. It also provides AD DS Snap-Ins and Command-Line Tools.

What is an organisational unit?

Organisational units are containers where we can logically group users, computers, groups and other organisation units. OU helps create the logical structure of the AD.

What is Remote Desktop Protocol?

RDP is a secure network communications protocol developed by Microsoft to provide a user with a graphical interface to connect to another computer over a network connection. It enables network administrators to diagnose problems that users encounter. RDP is designed to support different network topologies and multiple LAN protocols.

Conclusion

This blog discusses Managed Service for Microsoft Active Directory in Google Cloud. It explains the creation of a domain, joining it to VMs and using delegated administrator accounts. It also discusses creating trust between domains and managing Active Directory objects.

Check out our articles on Azure Active DirectoryVirtual Private Cloud and many more. Follow our guided path for Microsoft Azure and Google CloudExplore our Library on Coding Ninjas Studio to gain knowledge on Data Structures and Algorithms, Machine Learning, Deep Learning, Cloud Computing and many more! Test your coding skills by solving our test series and participating in the contests hosted on Coding Ninjas Studio! 

Looking for questions from tech giants like Amazon, Microsoft, Uber, etc.? Look at the problems, interview experiences, and interview bundle for placement preparations.

Upvote our blogs if you find them insightful and engaging! Happy Coding!

Thank you

Topics covered
1.
Introduction
2.
Creating a domain with Managed Service for Microsoft AD
3.
Joining a Windows VM to a domain
3.1.
Installing RSAT
3.2.
Joining VM to a domain
4.
Delegated administrator account 
5.
Create a group Managed Service Account 
6.
Connect to a Managed Microsoft AD domain
7.
Create trust with an on-premises domain 
7.1.
Configurations
7.2.
Setting up the Trust
7.2.1.
Configuring the on-premises domain
7.2.2.
Configuring the Managed Microsoft AD domain
8.
Managing Active Directory objects 
9.
Deploy an Active Directory resource forest 
10.
Frequently Asked Questions
10.1.
What are the features enabled by AD DS and AD LDS Tools?
10.2.
What is an organisational unit?
10.3.
What is Remote Desktop Protocol?
11.
Conclusion