This repository will deploy a highly-available Managed Active directory domain and a windows Compute instance to bind to the new Managed AD domain. In addition, there are powershell scripts to add users to the new domain and validate a sync to Cloud Identity using Google Cloud Directory Sync.
Managed Active Directory Domain .40 per hour
Windows GCE Instance estimate $119 per month
-
Managed Active Directory - The Managed Active Directory domain will be deployed with opinionated defaults for region,zone, and subnet for the Domain controllers.
-
Isolated Windows Compute Instance - The Windows instance will be deployed without a public IP, NAT service, and firewalls to limit access.
-
Google Cloud Directory Sync Simulation - To demostrate the ability to Windows instance can used to simulate the sync.
- Terraform 0.13.x
- [terraform-provider-google](https://github.com/terraform-providers terraform-provider-google) plugin 3.50
- Change to deployment directory
cd envs/development
- Update
backend.tf
with an existing GCS bucket to store Terraform state.bucket = "UPDATE_ME"
- Rename
terraform.example.tfvars
toterraform.tfvars
and update the file with values from your environment:mv terraform.example.tfvars terraform.tfvars
- Run
terraform init
- Run
terraform plan
and review the output. - Run
terraform apply
Note Managed Active Directory deployment can take up to 60 minutes
-
Deploy Bootstrap environment from Cloud Foundation Toolkit
-
Add cloud_source_repos to terraform.tfvars file to build gcp-gcds repo in 0-bootstrap
cloud_source_repos = ["gcp-org", "gcp-environments", "gcp-networks", "gcp-projects", "gcp-gcds"]
-
Run
terraform apply
-
Clone the empty gcp-gcds repo.
gcloud source repos clone gcp-gcds --project=YOUR_CLOUD_BUILD_PROJECT_ID_FROM_0-bootstrap
-
Navigate into the repo and change to a non-production branch.
cd gcp-gcds git checkout -b plan
-
Copy the development environment directory and cloud build configuration files
cp -r ../gcp_managed_ad/envs . cp ../gcp_managed_ad/build/* .
-
Ensure wrapper script can be executed.
chmod 755 tf-wrapper.sh
-
Commit changes.
git add . git commit -m 'Your message'
-
Push your plan branch to trigger a plan. For this command, the branch
plan
is not a special one. Any branch which name is different fromdevelopment
,non-production
orproduction
will trigger a Terraform plan.git push --set-upstream origin plan
-
Review the plan output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
-
Merge changes to production branch.
git checkout -b development git push origin development
-
Review the apply output in your Cloud Build project. https://console.cloud.google.com/cloud-build/builds?project=YOUR_CLOUD_BUILD_PROJECT_ID
-
Destroy the new GCS bucket with gcloud build command
gcloud builds submit . --config=cloudbuild-tf-destroy.yaml --project <your_build_project_id> --substitutions=BRANCH_NAME="$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')",_ARTIFACT_BUCKET_NAME='Your Artifact GCS Bucket',_STATE_BUCKET_NAME=<Your Terraform state GCS bucket>,_DEFAULT_REGION='us-central1',_GAR_REPOSITORY='prj-tf-runners'
-
Start an Identity Aware Proxy tunnel & start remote desktop session
$ gcloud compute start-iap-tunnel <Name Of Windows Server> 3389 --local-host-port=localhost:3389 --zone=us-central1-b
-
Login with local account creditials and reset password in UI or gcloud cli
$ gcloud compute reset-windows-password <Name of Windows Server> --zone=us-central1-b
-
Add Server to the new Active Directory domain
Run gcloud command to collect the domain admin password $ gcloud active-directory domains reset-admin-password Open a Powershell session to run as Administrator $ $domainname = read-host -Prompt "Please enter a domainname" $ Add-Computer -DomainName $domainname -Credential $domainname\setupadmin -Restart -Force Enter Domain password
-
Confirm server joined domain
- Log back into server with \setupadmin
- Click on Windows Administrative Tools and Click on Active Directory Users and Computers
- Click on Name of domain -> Cloud -> Computers
- Click on Domain Controllers to view the domain controllers
- Add users or groups under the Cloud OU or groups under the Cloud OU
-
Copy scripts onto the windows server with either git or gsutil commands.
-
Create a random user list from a Bigquery public dataset containing US names by year and state
$ find_users_bq.bat
-
Create Base OU for Users & Groups
$ PowerShell -Command .\create_base_ou.ps1
-
Create Groups
$ PowerShell -Command Copy-Item "groups.csv" -destination C:\Windows\temp\ $ PowerShell -Command .\create_groups.ps1
-
Create Users
$ PowerShell -Command .\create_users_bulk.ps1
-
Add all the users to ALLGCPUSERS groups
$ PowerShell -Command .\add_users_to_group.ps1
-
Review Google Directory Sync Configuration instructions https://cloud.google.com/solutions/federating-gcp-with-active-directory-synchronizing-user-accounts
-
Helper ldap search rules for Users & Groups
$ cat gdsc_ldap_rules_examples
-
Validate the sync, but don't apply
# Destroy the windows infrastructure
$ terraform destroy or Cloud build to destroy