Microsoft Remote Desktop Services (RDS) requires the use of a Microsoft Active Directory (AD) domain. When creating a new deployment using itopia's Cloud Automation Stack (CAS), you can create or connect to an existing Active Directory domain, or create a new instance of Google Managed Service for Microsoft Active Directory (Managed Microsoft AD).
Managed Microsoft AD provides a simplified Active Directory administration experience by eliminating the need to manage domain controllers or their associated services, such as AD DNS.
With Managed Microsoft AD, a full Microsoft Active Directory instance is provisioned, configured, and updated by Google Cloud; your VMs use Google Cloud DNS to locate the Active Directory endpoints and connect to the domain controllers across your internal Virtual Private Cloud (VPC) network.
For more details, Google's Managed AD Home page is here.
Benefits of Managed Microsoft AD
Although it can be used in many scenarios, Managed Microsoft AD is an ideal option for smaller CAS deployments that do not require the advanced capabilities of a full Microsoft Active Directory environment. Managed Microsoft AD delivers a pre-hardened Active Directory domain and standard administration tasks such as monitoring, patching, and upgrading are handled automatically by Google Cloud. It is well-suited for organizations that do not have an existing Active Directory and only wish to fulfill the AD requirements for Remote Desktop Services or other AD-integrated systems.
Managed Microsoft AD also supports integration with existing Active Directory environments through the use of standard domain trusts; this makes it a good candidate for itopia CAS deployments that must maintain a certain level of isolation from your primary network while still offering unified authentication experience for your users.
There is no cost in itopia CAS for Managed Microsoft AD. For information on the GCP pricing for the managed service, refer to Google Cloud's documentation.
Considerations When Using Managed Microsoft AD
Managed Microsoft AD has some important distinctions from a traditional, full Active Directory implementation. These differences and limitations are important to consider when planning your CAS deployment:
- Managed Microsoft AD does not grant elevated permissions such as Domain Admins or Enterprise Admins membership. While equivalent permissions are provided for common administrative tasks such as managing users, groups, and Group Policy Objects, domain- and forest-level administrator permissions are not available for advanced configuration of the environment
- Similarly, Managed Microsoft AD does not support schema extensions or modifications. Applications that require modifying the AD schema are not supported.
- Additional domain controllers (DCs) cannot be manually provisioned for Managed Microsoft AD. Google Cloud ensures the AD domain is highly-available and provides sufficient compute capacity for AD services, but extending the domain by promoting additional DCs is not supported.
- itopia CAS does not currently support integration with an existing Managed Microsoft AD instance; when selecting to configure a CAS deployment with Managed Microsoft AD, a new instance is provisioned. This functionality may be supported in a future release.
- itopia CAS does not currently support multi-region deployments when using Managed Microsoft AD. This functionality may be supported in a future release.
- itopia CAS will provision a bastion VM for performing administrative tasks within the Managed Microsoft AD environment. This VM is required to relay instructions (such as creating a new user or updating a group) from CAS to the Managed Microsoft AD instance.
- During the Beta period, you can only add domain controllers to the following regions:
us-west1; us-west2; us-central1; us-east1; us-east4; europe-north1; europe-west1; europe-west4; asia-east1; asia-southeast1
Known Issues with Managed Microsoft AD
This section describes current known issues and limitations when using Managed Microsoft AD in a CAS RDS deployment. This section will be updated as issues are remediated.
Managed Microsoft AD is Incompatible with NetApp Cloud Volumes
DESCRIPTION: CAS deployments cannot be created using both Managed Microsoft AD and the NetApp Cloud Volumes service. This is due to a limitation of the GCP Service Networking API that does not permit different managed services to communicate with one another. Because NetApp Cloud Volumes rely on Active Directory for file permissions on its SMB file shares, Cloud Volumes are not compatible with Google's Managed Service for Microsoft Active Directory.
STATUS: This is a known limitation. Google Cloud may address this limitation in the future, but no timeframe is available.
WORKAROUND: CAS deployments can be configured with either Managed Microsoft AD and an alternative file share system (such as Windows File Server), or with NetApp Cloud Volume Services and an alternative AD model (such as New Domain using Active Directory Domain Services or Existing Active Directory).
Configure a CAS Deployment with Managed Microsoft AD
To create a new deployment using Managed Microsoft AD, simply select the option "Google Managed Service for Microsoft Active Directory" in the Active Directory portion of the Deployment Configuration, and provide a DNS name for the Managed Microsoft AD domain; refer to Microsoft's naming conventions in Active Directory when choosing a name.
When your deployment is created, you'll notice the following differences from using a full Active Directory domain:
- The CAS deployment will not include any domain controller VM instances
- The CAS deployment will include a bastion VM instance, used for allowing communication from CAS to the Managed Microsoft AD environment
- Within the Google Cloud project, the VPC network used for the CAS deployment will have a Service Networking peering for your Managed Microsoft AD instance, and several firewall rules will be created.
- CAS service accounts (the itoadmin accounts) will have different elevated permissions to be compatible with Managed Microsoft AD. Additional information is available here: Service Accounts used by itopia CAS.
With these exceptions, CAS is configured identically to a full Active Directory deployment, and all CAS functionality is supported.