Microsoft Remote Desktop Services (RDS) requires the use of a Microsoft Active Directory (AD) domain. When creating a new deployment using itopia's Cloud Automation Stack (CAS), you can create or connect to an existing Active Directory domain, or create a new instance of Google Managed Service for Microsoft Active Directory (Managed Microsoft AD).
Managed Microsoft AD provides a simplified Active Directory administration experience by eliminating the need to manage domain controllers or their associated services, such as AD DNS.
With Managed Microsoft AD, a full Microsoft Active Directory instance is provisioned, configured, and updated by Google Cloud; your VMs use Google Cloud DNS to locate the Active Directory endpoints and connect to the domain controllers across your internal Virtual Private Cloud (VPC) network.
For more details, Google's Managed AD Home page is here.
Benefits of Managed Microsoft AD
Although it can be used in many scenarios, Managed Microsoft AD is an ideal option for smaller CAS deployments that do not require the advanced capabilities of a full Microsoft Active Directory environment. Managed Microsoft AD delivers a pre-hardened Active Directory domain and standard administration tasks such as monitoring, patching, and upgrading are handled automatically by Google Cloud. It is well-suited for organizations that do not have an existing Active Directory and only wish to fulfill the AD requirements for Remote Desktop Services or other AD-integrated systems.
Managed Microsoft AD also supports integration with existing Active Directory environments through the use of standard domain trusts; this makes it a good candidate for itopia CAS deployments that must maintain a certain level of isolation from your primary network while still offering unified authentication experience for your users.
Itopia subscription includes the feature for free and Google Cloud is currently offering Managed AD at no cost as well while in Beta stage. Google pricing can change in the future and we recommend monitoring it on Google Cloud's product page.
Considerations When Using Managed Microsoft AD
Managed Microsoft AD has some important distinctions from a traditional, full Active Directory implementation. These differences and limitations are important to consider when planning your CAS deployment:
- Managed Microsoft AD does not grant elevated permissions such as Domain Admins or Enterprise Admins membership. While equivalent permissions are provided for common administrative tasks such as managing users, groups, and Group Policy Objects, domain- and forest-level administrator permissions are not available for advanced configuration of the environment
- Similarly, Managed Microsoft AD does not support schema extensions or modifications. Applications that require modifying the AD schema are not supported.
- Additional domain controllers (DCs) cannot be manually provisioned for Managed Microsoft AD. Google Cloud ensures the AD domain is highly-available and provides sufficient compute capacity for AD services, but extending the domain by promoting additional DCs is not supported.
- itopia CAS does not currently support integration with an existing Managed Microsoft AD instance; when selecting to configure a CAS deployment with Managed Microsoft AD, a new instance is provisioned. This functionality may be supported in a future release.
- itopia CAS does not currently support multi-region deployments when using Managed Microsoft AD. This functionality may be supported in a future release.
- itopia CAS will provision a bastion VM for performing administrative tasks within the Managed Microsoft AD environment. This VM is required to relay instructions (such as creating a new user or updating a group) from CAS to the Managed Microsoft AD instance.
- During the Beta period, you can only add domain controllers to the following regions:
us-west1; us-west2; us-central1; us-east1; us-east4; europe-north1; europe-west1; europe-west4; asia-east1; asia-southeast1
Known Issues with Managed Microsoft AD
This section describes current known issues and limitations when using Managed Microsoft AD in a CAS RDS deployment. This section will be updated as issues are remediated.
NOTE: Prior to general availability (Google's announcement here), itopia worked closely with Google to address several known issues For example, RDS Per-User Licensing is now available. RD Licensing servers are now able to track licensing information when per-user licensing is configured in the RDS deployment. This means end-users will no longer receive error messages upon connecting to the environment after the initial 90-day licensing grace period has lapsed.
Desktop Shortcuts Unavailable for Published CAS Applications
When applications are published using the CAS Applications module, the users that are assigned the application receive a shortcut icon on their desktop when their Collection Pool is configured in Full Desktop mode. In a RDS deployment with Managed Microsoft AD, these desktop shortcuts cannot be created. All other Applications module functionality should behave as expected, and Collection Pools in RemoteApp mode are unaffected (application shortcuts are still published to RDWeb and the RD Web Feed).
We are actively working with Google to address this issue, but no timeline for resolution is currently available.
Configure a CAS Deployment with Managed Microsoft AD
To create a new deployment using Managed Microsoft AD, simply select the option "Google Managed Service for Microsoft Active Directory" in the Active Directory portion of the Deployment Configuration, and provide a DNS name for the Managed Microsoft AD domain; refer to Microsoft's naming conventions in Active Directory when choosing a name.
When your deployment is created, you'll notice the following differences from using a full Active Directory domain:
- The CAS deployment will not include any domain controller VMs
- The CAS deployment will include a bastion VM, used for allowing communication from CAS to the Managed Microsoft AD environment
- Within the Google Cloud project, the VPC used for the CAS deployment will be peered with the VPC for your Managed Microsoft AD instance, and several firewall rules will be created.
With these exceptions, CAS is configured identically to a full Active Directory deployment, and all CAS functionality is supported.