This article is designed to provide an overview of all the ways itopia's Cloud Automation Stack (CAS) leverages and extends Microsoft's Active Directory (AD) service in each customer's RDS environment.
RDS and Active Directory
itopia's CAS deploys and manages Microsoft's Remote Desktop Services (RDS) deployments in each customer's Google Cloud Platform (GCP) project. Both RDS and CAS require Active Directory (AD) and use AD in many ways.
RDS is deployed to an Active Directory domain to authenticate and authorize each user as well as to manage, control and enforce the security policies for all users and computers in the specific AD.
In other words, RDS allows users to connect to their hosted virtual Windows desktop over Remote Desktop Protocol (RDP). Like any connection method, the user must be authenticated against AD to enable login and to ensure their virtual desktop only allows access to a specific set of resources (files, folders, applications, etc).
- AD contains information about resources in your enterprise (users, computers, printers, etc)
- AD is accessed via LDAP
- AD relies on DNS as its location service
- AD support several naming conventions, but most RDS deployments use UPN (User Principle Name)
- AD is a database; typically accessed via a Console in Windows, but can also be programmatically access via PowerShell
Active Directory Management in CAS
The CAS Portal is used to manage AD via Modules such as Users and Groups. The CAS Portal (cas.itopia.com) is a browser-based single page control pane.
To contrast, in traditional AD environments, IT Administrators will do this same work manually via the Active Directory Console (dsa.msc) or the Group Policy Management Console (gpmc.msc). More later on Group Policy.
Active Directory Configuration Options in a CAS Deployment
When using the CAS Wizard to provision an RDS environment in GCP, the CAS Administrator has multiple options: deploy the RDS environment into an existing AD domain OR allow the wizard to create a new AD domain (and Forest).
For smaller customers, Microsoft's Cloud-based Managed AD offering is very compelling (i.e. lower cost because no dedicated AD Domain Controller is required).
CAS Deployment is Single-Tenancy
Every CAS deployment is created with its own single tenant domain. In the SaaS delivery model, a customer is called a tenant. This means, no matter which AD configuration option is chosen, the CAS deployment (architecture/software infrastructure) is designed to support one customer, who in turn can have multiple clients.
CAS AD Organizational Unit (OU) Structure
The Active Directory framework that holds the objects (users, groups, servers, etc) can be viewed at a number of levels. The logical divisions in any AD network are: Forest, Tree, and Domain. Within a deployment, objects are grouped into domains. The objects held within a domain can then be grouped into organizational units (OUs)
OUs can provide hierarchy to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical terms. OUs can contain other OUs—domains are containers in this sense.
CAS deploys two organizational units (OUs) in the root of the AD domain: Admin Accounts contains user accounts with elevated privileges based on the settings in the itopia CAS console. The other OU is named based on the deployment code and deployment name in the CAS console and contains computer accounts, security groups, and standard user accounts as provisioned in the CAS console.
For a deployment named "itopia Inc" with a deployment code "QH5", the OU structure looks as follows:
Group Policy Objects
AD and Group Policy Objects (GPOs) work hand-in-hand to allow centralized management of user and server settings (but only those belonging to the AD domain in a customer's CAS deployment).
CAS deploys its own set of GPOs to manage each customer's RDS deployment. Learn more here. Customers can also bring their own GPOs to their CAS deployment by specifying these GPOs during deployment. Learn more about this Beta feature here.
Administration (Service) Accounts
When creating and managing an RDS deployment, the itopia CAS provisions a set of service accounts within the AD domain.
These accounts are used to support various administrative functions within the Operating System (OS), AD and the RDS environment.
The same set of six (6) accounts is automatically setup and configured for each CAS deployment. Learn more about these service accounts here.
AD Field Name requirements when creating a Deployment
Configuring a Remote Desktop Deployment with Extended Active Directory
Using RDS Deployments with Google Managed Service for Microsoft Active Directory
Configuring a Remote Desktop Deployment with New Domain
Active Directory Extension for Disaster Recovery