This repository will deploy a highly-available Managed Active directory domain and a windows Compute instance to bind to the new Managed AD domain. In addition, there are powershell scripts to add users to the new domain and validate a sync to Cloud Identity using Google Cloud Directory Sync.

Managed Active Directory Domain .40 per hour
Windows GCE Instance estimate $119 per month

• Managed Active Directory - The Managed Active Directory domain will be deployed with opinionated defaults for region,zone, and subnet for the Domain controllers.

• Isolated Windows Compute Instance - The Windows instance will be deployed without a public IP, NAT service, and firewalls to limit access.

• Google Cloud Directory Sync Simulation - To demostrate the ability to Windows instance can used to simulate the sync.

• Terraform 0.13.x
• [terraform-provider-google](https://github.com/terraform-providers terraform-provider-google) plugin 3.50

• Remote Desktop

1. Change to deployment directory

   cd envs/development
   

2. Update backend.tf with an existing GCS bucket to store Terraform state.

   bucket = "UPDATE_ME"
   

3. Rename terraform.example.tfvars to terraform.tfvars and update the file with values from your environment:

   mv terraform.example.tfvars terraform.tfvars
   

1. Run terraform init
2. Run terraform plan and review the output.
3. Run terraform apply

Note Managed Active Directory deployment can take up to 60 minutes

1. Deploy Bootstrap environment from Cloud Foundation Toolkit

2. Add cloud_source_repos to terraform.tfvars file to build gcp-gcds repo in 0-bootstrap

   cloud_source_repos = ["gcp-org", "gcp-environments", "gcp-networks", "gcp-projects", "gcp-gcds"]
   

3. Run terraform apply

1. Clone the empty gcp-gcds repo.

   gcloud source repos clone gcp-gcds --project=YOUR_CLOUD_BUILD_PROJECT_ID_FROM_0-bootstrap
   

2. Navigate into the repo and change to a non-production branch.

   cd gcp-gcds
   git checkout -b plan
   

3. Copy the development environment directory and cloud build configuration files

   cp -r ../gcp_managed_ad/envs  .
   cp ../gcp_managed_ad/build/*  .
   

4. Ensure wrapper script can be executed.

   chmod 755 tf-wrapper.sh
   

5. Commit changes.

   git add .
   git commit -m 'Your message'
   

6. Push your plan branch to trigger a plan. For this command, the branch plan is not a special one. Any branch which name is different from development, non-production or production will trigger a Terraform plan.

   git push --set-upstream origin plan
   

7. Review the plan output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID

8. Merge changes to production branch.

   git checkout -b development
   git push origin development
   

9. Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID

10. Destroy the new GCS bucket with gcloud build command

    gcloud builds submit . --config=cloudbuild-tf-destroy.yaml --project <your_build_project_id> --substitutions=BRANCH_NAME="$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')",_ARTIFACT_BUCKET_NAME='Your Artifact GCS Bucket',_STATE_BUCKET_NAME=<Your Terraform state GCS bucket>,_DEFAULT_REGION='us-central1',_GAR_REPOSITORY='prj-tf-runners'
    

1. Start an Identity Aware Proxy tunnel & start remote desktop session

   $ gcloud compute start-iap-tunnel <Name Of Windows Server> 3389 --local-host-port=localhost:3389 --zone=us-central1-b
   

2. Login with local account creditials and reset password in UI or gcloud cli

   $ gcloud compute reset-windows-password <Name of Windows Server> --zone=us-central1-b
   

3. Add Server to the new Active Directory domain

   Run gcloud command to collect the domain admin password
   
   $  gcloud active-directory domains reset-admin-password
   Open a Powershell session to run as Administrator
   $  $domainname = read-host -Prompt "Please enter a domainname"
   $  Add-Computer -DomainName $domainname -Credential $domainname\setupadmin -Restart -Force
   Enter Domain password
   

4. Confirm server joined domain

   1. Log back into server with \setupadmin
   2. Click on Windows Administrative Tools and Click on Active Directory Users and Computers
   3. Click on Name of domain -> Cloud -> Computers
   4. Click on Domain Controllers to view the domain controllers
   5. Add users or groups under the Cloud OU or groups under the Cloud OU

1. Copy scripts onto the windows server with either git or gsutil commands.

2. Create a random user list from a Bigquery public dataset containing US names by year and state

   $ find_users_bq.bat
   

3. Create Base OU for Users & Groups

   $ PowerShell -Command .\create_base_ou.ps1
   

4. Create Groups

   $ PowerShell -Command Copy-Item "groups.csv" -destination C:\Windows\temp\
   $ PowerShell -Command .\create_groups.ps1
   

5. Create Users

   $ PowerShell -Command .\create_users_bulk.ps1
   

6. Add all the users to ALLGCPUSERS groups

   $ PowerShell -Command .\add_users_to_group.ps1
   

7. Review Google Directory Sync Configuration instructions https://cloud.google.com/solutions/federating-gcp-with-active-directory-synchronizing-user-accounts

8. Helper ldap search rules for Users & Groups

   $ cat gdsc_ldap_rules_examples
   

9. Validate the sync, but don't apply

 # Destroy the windows infrastructure
 $ terraform destroy or Cloud build to destroy