Active Directory on Google Cloud Platform
This post is about hosting your AD on GCP. It is not about syncing gSuite and AD users. Typically, in Cloud IAM, you would bring over your gSuite users by providing each user with a Cloud Identity (a GCP native identity wrapper over the gSuite identity).
Why would you want to host AD on GCP? Well – if your apps use AD – and you plan to move your apps to google cloud platform, then, there is your use case.
Another popular use case is disaster recovery – having a standby replica of your on premises active directory up on Google Cloud.
Can I host more than a single domain on a DC?
No. Only one domain per DC . However, multiple UPNs (domain suffixed users) can be added to a single DC. This is just a workaround for adding users from different domains to a single DC. Only one actual domain can be hosted on an Active Directory DC.
Here are some possible configurations:
1. Active Directory Stays On-Premises,
Retaining your Active Directory servers and services in your data center, will require a private connection to GCP. A Google Cloud VPN or Cloud Interconnect service would meet this need.
Pro – For applications hosted on GCP, each time an app needs to authenticate a user or require a hostname lookup, that request will be sent over the VPN tunnel or Interconnect, to your on-prem AD infrastructure.
Con – Active Directory is very chatty due to using chatty protocols like SMB and NetBIOS. So this will cause an increase in latency for your applications.
If increased latency is a problem, you definitely need to monitor it.
2. Add a Read-Only Domain Controller
One step beyond the above option is to implement a Read-Only Domain Controller (RODC) on GCP. You then replicate some user passwords on your on-prem Active Directory DC to the one you have on GCP. This will allow your applications to stay within GCP when some of these users need to log in.
You need to watch out for RODC compatibility. You’ll have to ensure that your Windows-based applications support RODC. Also, some Active Directory operations will still need to go back to the on-prem Active Directory, especially if you didn’t replicate any user passwords to GCP.
3. Add a New Active Directory Domain on GCP
You implement a completely new Active Directory domain on GCP. Next, you use Active Directory trusts to allow your on-prem Active Directory to trust and exchange data with your GCP Active Directory.
In this setup, you don’t need to create multiple domains on GCP. Your GCP Active Directory has a two-way trust, if you set it up that way, with your on-prem Active Directory. Your applications running on GCP will be able to stay within GCP to utilize Active Directory services for its users.
4. Managed AD on GCP
Google recently announced its Managed Service for Active Directory. This service promises to alleviate all the maintenance issues that come with self-deploying Active Directory on GCP.
Leave a Reply