Best Practices for Extending On Premises Active Directory with Applications in GCP (Cloud Next '18)

Best Practices for Extending On Premises Active Directory with Applications in GCP (Cloud Next '18)

Show Video

Hey. Everyone welcome. Thank. You for coming good, to see we have nobody. Napping, yet I know it's an hour or so after lunch so thanks, so much for staying awake to. Get you a little bit warmed up all, right ask you a quick show of hands how, many of you are familiar with Active Directory. Alright. Great so in the right session good to know it's pretty much out of the room and for the three people who maybe didn't raise their hands it's okay there is many resources, you, can go check out later. The. Other question how many of you have had some experience, with Google, cloud platform getting. A VM up creating, a network and doing some basic infrastructure. As, a service, okay. So this is probably about half the room and pretty, much everyone has experience, with AD that's great so you're in the right session we're. Gonna be talking about how you can extend your, on-premises. Active Directory to. Google cloud platform, my. Name is Siddharth PI I'm a product manager with, Google cloud I, focus. On problems, that work with identity. And security, very. Excited to talk to you today and even, more excited to have with me two very talented core, presenters. Either. Ben, Miller I'm a systems, administrator with, Google I work on the mergers and acquisitions, infrastructure. Services team. Hey. You guys doing I'm Kenny Hill I'm with Capital One Identity, and Access Management I, focus, on directories, in the cloud. Great. So we'll go ahead and get started, so. What I thought I'd start off with is honesty, and apology, I'm, sorry we're, not gonna cover the heated, issue of whether we should call it on-premises, or on-premise. Or on-premise or on Prem we, will take that away to the evening hours but, two, things in particular I'll leave you with today one. Is as the show of hands showed a lot of you do have Active Directory deployed, so we understand that and B. Is leave you with some best practices, and guidance on how you can extend your Active Directory, investments. You've already made on to the Google cloud platform, so. In particular the things we will cover is how is it that you can use your on-premises. Directory where. You do your users and groups management to. Get Identity, and Access Management configured. On GCP. We'll. Talk about some drivers and architecture, choices, for actually, running ad on DCP. Itself after that. We have two great case studies coming up of actual. Experiences. Of revving, run ad on DCP. And we'll. Run it off with some best practices. So. The first thing that we're going to cover is how can you extend your on-premises, Active Directory users and groups onto GCP, for Identity, and Access Management, there's. Probably the question I get asked most often over, the last year or so because a lot of you have put in that investment to start working to. Have Active Directory all set up your, auditors, are happy internal, security team the sign-off which is great and I'm, going to start getting started with DCP so can you leverage those existing, investments, and the, answer is yes and I'll show you how in the next two slides. What's. Coming up is probably a fairly familiar, topology, to a lot of you you. Probably have your users, and groups in your on-premises, Active Directory, they. Are sitting, in your Active Directory domain, controllers, and then. For, a variety of reasons, several, customers have either, a DFS or paying or octa or any of these other Federation, products deployed so. You can take those on-premises, users, and get, single sign-on to variety, of other relying, parties or applications, and, so, the question is when. The application, is Google, cloud platform itself. How, is it that you can connect the two so. A canonical use case that comes up as we often find that is customers, maybe, somebody gets interested, with bigquery and wants to go ahead and set things up so that a certain group of users can. Go ahead and do things with bigquery, so. The way that you do it in GCP is via rule-based, authorization. So. If you were a bigquery admin, you, could then go ahead and essentially, do a variety of things with the query so how do you set it up I.

Have. The slide coming up a little soak it in for a second it's Google cloud identity. There's. A lot of things on this slide and it's a full identity as a service product I won't, be going too deep into it today but. I did want you to know it has identity, it has policies, a very strong support for device management, but. There's two features in particular which, is all we need for the question we set it out to answer and those. Two features are a it. Allows, you to sync your users and groups from, on-premises, Active Directory onto. A Google cloud identity domain. B. You. Can set up your Google Cloud identity domain to, indicate that you'd, like the authentication, of those users to happen with. Your on-premises, Federation, endpoint and by, going and using these two features you. Can have your users, and groups from on-premises, Active Directory be, used for bigquery. Or any other I am and GCP. So. Let's go ahead and take a look at that in this demo. Okay. So as my screen comes up what, you're looking at should seem pretty familiar to a lot of you since your experience, with Active Directory this. Is the active directory administrative center. Now. Further. Ok, purpose of the demo I need to go ahead and re-establish, my RDP. As, it. Comes up what you'll see is I have a, active. Directory administrative center. Open, in the on-premises, environment. Great. So this should look familiar it is your on-premises, Active Directory I have, created an who you in here for GCP, which is currently blank they'll. Go ahead and run a simple PowerShell, script. And. With. The script has done is it's gone ahead and pre created for. You some users and groups so as i refresh have three users in my on-premises, active directory Alice. Bob and Charlie and I, have a group GCP, security, admins which. Has Alice and Bob as its members so. This what we have setup in an on-premises, ad probably, simulates, a lot of deployments, you have today I, now. Go ahead and switch on to a VM they better have Google Cloud directory sync setup so.

What This is doing is it'll go ahead and take the, users from that or you and groups and sync. It up to a Google Cloud identity, domain so. One thing I should call out is a lot of you if you've been using GCP, G suite in particular for a while you may be familiar of a. Term Google domain which, is the same thing as a Google Cloud identity, domain, so. I'll go ahead and sing these up, what. This is doing is it's now pushing those users and groups into Google so. I'll switch my screens, and, what you are now looking at is the admin console, for, Google Cloud identity. So. They refresh my screen the, three users we just created Alice. Bob, and Charlie are now available in the Google Cloud identity domain. And. As. I go to the groups you are you'll see the group GCP security, admin is also available here. So. I'll go ahead and take this group and it's, now all come up from your on-premises, ad into GCP so what next now, let's go back to the thing we were trying to do to. Do that I'll apply this group you're, now looking at the IM page of a, GCP project, and. I'll go ahead and add a role i'll give. The users of this particular group which, we just synced in from your on-premises, ad the. Role of bigquery admin, and. So. As I go ahead and hit save you now see that this group has bigquery, admin I am on this project now. The interesting thing here as we come back to our slides. Is effectively, that you, have this, set. Of groups these set of users who can be added in or out of your on-premises, ad group and have, the access changes reflected, back on G CPI M without. Needing to go ahead and do anything special into this I M page so. As we come back to our slides please what. You will notice is we. Will have two. Additional items coming up on to this I am policy. That I just showed you pretty soon. One. Is you will be able to say that allow these users to only have access for a specific time window so, the one at the top is the policy which is set up but down below is a special expression, that will allow you to essentially, have, your group sink ahead of time and say, only for that hour R or only for that month are those users allowed to have access and second. Is you'll be able to further restricted, based on the source IPS, that they're actually connecting from. So. That's the first part of the session where we saw how you can use your on-premises, ad extended, onto GCP and use that for I am and this. Where we come to an interesting transition and, it's a slightly tricky point to make so I need your help.

Everything. We looked at so far was. Having your on-premises, ad extended. Onto GCP without. Requiring VPN, by syncing, your users and groups into your GCP, domain what. We now go and take a look at is if, you are trying to run Active, Directory or, a be related, apps on GCP how. Do you go ahead and do that and, for. This we do not need cloud. Identity or a VPN, to be set up for, the things we are going to talk about next so. That's some pain. So. A lot of times when you need Active Directory in the cloud is if you are thinking of a migration project so go ahead and soak in that visual for a second and I'll talk through it. So, what you're seeing is you have an application that's. Talking to your on-premises, Active Directory over a set of Active Directory protocols. Now. What are the cases when you may need Active, Directory as you, think of moving this app or the server onto GCP, so. One very common use cases if you have gone ahead and domain join these applications. Onto Google cloud platform onto, Active, Directory and you want to run them on Google cloud platform so, in that case were looking for ad in other cases if the app does LDAP or Kerberos or Windows integrated off it's looking for a domain controller, the. Next set of things is if the app has logic, for, retrieving, things that are stored in Active Directory itself. Most. Often it's group based membership, when the application, houses the authorization, logic in itself another. Time as if you had used a ad client-side, library for. Instance you had a dotnet based app and if, that was making any calls over to systems or directory services, it would look to find a domain controller and the. Last bit is when you do go ahead and have your application migrated. To the cloud you have a choice to make which is do, you still want your on-premise, network to be on the critical path for each application, authentication. Lookup, or would you rather have it scale in cloud have low latency and have, the cloud application. Be independently, and highly available how. Is it that these, choices end up manifesting, your architecture, options let's take a look. First. Thing you can do in any of these cases is the simplest just. Go ahead and set up your VPN, or a cloud interconnect. And have. Your Active Directory continue, to recite on-premises, and so. This way it's pretty quick to configure, but you have higher latency for all your applications, every. Single request is going back to your on-premises, network, so. What do you do. Second. Option you have is you can go ahead and choose to deploy read, only domain controllers, on to Google Cloud, now. The advantage. In this case is it's a read-only replica, of Active, Directory but. Those of you who have worked with it for a while will, probably know that there are certain operations, that are still being chained, or refer back to your full domain, controllers, which in this case would reside on premises so. Your app still going back to your on-premises, network for getting those done in. Terms of A+ this does not bring in everybody's, credentials, onto, any cloud deployment, so you can have no, users passwords, in the cloud by default, some. Of you may like that from a security perspective. However. And it also lets you only have replicated in a certain set of users passwords, into that cloud ad deployment, on, the. Other hand the biggest challenge with our OD ceases there is application, compatibility things, you should think about so, if you go in Google for our ODC application, compatibility the. First link gives you a list of apps that support our OD cease or not so that's something to factor in. The. Next option is to go ahead and deploy your writable or regular domain controllers, into cloud and in, this case you obviously have your Active, Directory data, available, entirely on DCP it's. Low latency, because your application is then going for all operations, so the ad DC just deployed there, however. The, thing to keep in mind in both this as well as a previous configures, if you have multiple. Active Directory domains, you. May end up needing to deploy domain controllers, for each of those domains into, cloud so, if you had a merger and acquisition, use case or for any other reasons at 3 or 4 ad domains require, multiple domain, controllers, from each of those domains. So. To get around that another. Thing you can do is set up a new, Active Directory domain, on Google cloud platform use.

The Active, Directory trust, relationship, model to, establish a trust with your on-premise, ad and. This. Does work well because you, effectively, are able to have three or four different ad domains where our users are having. Their credentials stored and authentication, happening, however, all your resources and applications which, are running in the cloud can join or just work against, the Active Directory domain, which is now, hosted fully within cloud. Another. Thing you could think about when you think of moving to the cloud and having a hybrid deployment is to. Consider having a disaster, recovery site on Google cloud platform and, so, what the numbers you're seeing on the right effectively. Show, an example of AD site replication, cost which, you could utilize to, go ahead and have things, set up so that your. Users and applications. On-premises. Are usually, not reaching back to the cloud and only, in the event of a failover will they come in and use the cloud DC's so. These are five options you have in terms of architecture, and by, this point you're probably wondering. Which, of these make sense for your specific, use case now. To help answer that I'm, really excited to share with you the. Highlight of our segment today which is the Benin Kenny experience, they'll. Come up and share with you what is it that work for them as they look to have a be running on GCP, hey. Guys. First. I want to thank Sid and want to thank Ben for allowing. Me to come up here and share a little bit about Capital, One's Google. Cloud Active, Directory journey. Hopefully. There's time at the end for questions if, not feel free to connect always, really excited, to hear what others are doing in the identity. And directory space in the cloud, see. The question up on the board or screen why, extend. Active. Directory to Google cloud there, are many, reasons the. Main driver for us is. Resiliency. And speed, let. Me explain a little bit of what that means and. Some. Of the design inputs, that went, into some of our decisions. Deforming. Areas we focused on with our demand. Controller design. First. One security, I'm. Gonna gloss over that and skip it not, enough time for me to really dive deep Ben. Is gonna share some security. Practices. Next. Area for us is directory. Size since. Going on on the cloud we've. Had. Exponential. Growth in our directories, running. At a 38, and 60 gigabit and TDS did, have. About. 2.5. Million objects, in each directory, between. 100. 150,000. Use, both users and group objects. Understanding. Directory, size. There's. Many reasons for our growth one. Of the main. Ones, that. I'm excited about is the, development we've had on cloud. Platform, of applications, requiring, role based access we've, also kind. Of taken the concept, of tags from. Cloud and we're, writing more data to our directory, this, is this, allows. Us to correlate, Active. Directory objects, with cloud things, utilize. It in our provisioning, system. Next. Area is resiliency. The Nexus, speed has, I was doing the slides for this I realized same. Inputs, really, went into both. Of them to. Ensure. Active. Directory authentication. And, authorization is. Always available doesn't. Matter if it's a federated sam'l, syndication, a windows authentication. LDAP. Application. Bind a database. Authentication, directory.

Needs To be there. Same. Holds true when your domain joining infrastructure. And it. Wants to scale so, the directory needs to be there so, for us going. Down interconnect. Or VPN, that wasn't really an option as we, want to, no matter the situation, ensure. That we. Can scale applications. To. Create a seamless experience. For. Applications, when switching projects. And regions a. Developer. Application. Team devops, team no matter what you call them they should not need to know anything, about ad, sites, maintain. Different URL, mappings. We. Even have application, teams. That they don't even know it's Active Directory on the backend when they need help they ask where is the LDAP team. To. Provide the fastest, domain join Directory. Replication and. Now, the app experience possible. Key. Way to be successful, in this bullet is to. Keeping, your traffic. On Google. Cloud. I'm. Not going to give exact time test metrics, you guys I, highly. Recommend, testing this yourself. In. A world where every, millisecond. Counts is. Important. To ensure that, traffic. Stays on the most optimal, path. And. This is probably, one. Of the biggest reasons we build domain controllers on compute, engine. To. Quickly rehydrate. And be able to increase ad capacity, at, Capital One we. Rebuild, all infrastructure, every. 45 to 60 days maximum. Domain. Controllers, are no exception, to that rule they, get rebuilt we call this rehydrate, so we are constantly rebuilding. Our domain controllers. That's. Why directory, saw directory, sizes, up there. Need. To understand, your, build times, it's. Important, to know, exactly how long it's going to take to build domain controllers. Even. If using the install for media file, which. You backup. The date you back up baby database, just this fall you, import, it if. You, have quite a few objects, the. Domain promote. Process, is still going to do like a checksum, I don't, know the correct term for it but of every, object and that's where the lag is gonna happen so understanding. Your directory. Size and, the, speed that, you can build domain controllers, is going to help you determine is. Your directory small enough are you able to Auto scale, if. So, I'm jealous or. Are. You gonna have to run, it monitor, a little, bit over your monitoring, high peaks meaning, you're running a little bit over capacity. At all times or, do, you keep a reserve, pool of live. Domain controllers, running, on smaller instances, in a reserved ad site and. Utilize. Scaling, technology, to kind, of bring them in and out as you, need them. Next. I'm going to show you a few of the high-level design, decisions. In. A typical traditional. Ad. Site, topology. For. On premise you usually have a single ad site or two per. Data center each, of these ad sites is usually gonna have some. Sort of single point of failure if it's power network. Shared storage or other this doctor. In. Our Google cloud model, we. Utilize, we. Put them in controllers in every zone, available. In each region we deploy this. Is essentially, treating, the. Whole region as a single, ad site. This. Provides a more resilient. Topology. In. The, on-premise model. You. It's. Hard to test if you. You, can you manage your sites and services and your cost and for, the next closest site and. There. Can be errors in it you can shut down Network to a data center and you can set and you can know that. Everything's. Authenticating, and, authorizations. Occurring, but, do you know exactly where. All that's going in this. Model and cloud you, know it's just staying, in the same site. This. Also ensures that any, applications. That utilize DC. Locator, process, are going to. Pick. Domain. Controller in the, ad site in region, staying, on Google Cloud as their, primary. For. Applications, that cannot. Utilize DC. Locator who, utilize an LDAP load balancer.

Our. Configuration for, load balancer LDAP secure. 6:36. GCS. Global catalog secure three to six nine coming. Into the load balancer, this. Ensures, that all. Traffic. Outside of the project is. Secure. We. Then terminate, at, the load balancer, to. Regular. 389, three to six eight and. Point. At domain controllers across multiple zones. Realize. Global catalog secure port for. Applications. Which chase referrals. Many. Java based applications, chase referrals, and sometimes. You. Have cots products, deployed which you cannot disable in, the. If. You're not familiar with chase referrals, it's when you point, an application. To a domain controller and, instead. Of utilizing that domain controller it pulls back all the a records, and randomized. Very randomizes, I'm per the client and then, just picks a random one if utilize global catalog, port, it, disables, referral chasing. We're. Predominantly, a Linux, app. Which. Does not have DC locator, process. By. - by, default without third-party products. There, are also many applications. Which, are, not, a b-side aware that, cannot utilize the load balancer, or even, some, of the horrible applications, that you have to point directly to a domain controller an, example of one of those applications you'd point directly, out that. Domain controller is a. Something. That needs to read and write almost simultaneously, like your identity, and lifecycle management. Application. Or a provisioning, application. Where if it doesn't read and write at the same one you could have collisions. D. We. Utilize a root DSE. Query, so LDAP s root DSE query to. Load bounce or returning the DNS hostname. The. Applications, can utilize this they. Can put it in a script or a job ensure. Their configuration. Is always, pointing at a live domain controller even if we're. Rebuilding, or rehydrating, our domain controllers, if they have this job set up they'll know they always have a live domain controller. As. I. Mentioned it isn't, extremely. Important, to ensure we, are replicating, Active. Directory data, as fast, as possible, in this model if we were to fail to another region, applications. Need to be able to read the same data that. Read in one region in another, one also allows us to more, effectively get, to a just-in-time access, model and. Enhance. Our, privileged. Access password. Rotation. The. Legacy, replication. Strategy, was. Designed more. Than 18 years ago when. Network. Was slow and also very expensive. We. Choose. To utilize a. Full. Mass. Replication. With change notification. Strategy. Change. Notification. Treats. Replication. On the site linked same, as it would enter site Oh. Diagram. I'm showing up there we. Are replicating. From site to site on premise, to, all, of, our Google. Regions. And then, we do as. Fast as we can replication. Between the sites to. Close. Out a, couple. More lessons that we've learned along the way. Limit. Your use of Group Policy objects, there are many more cloud friendly. Configuration. Management solutions. Out there Ben's, gonna actually show you one that's available for free that works. You. Can also utilize you, can also harden, your image build. Stack, all your configuration, settings in, your image and. That's. Another approach. Managing. Group policy, deviations. And, exceptions, in a cloud model is not, operational. The. Efficient, for the. Directory support teams or the application, teams the, application, teams are going to need to script moving the objects, or adding to a security, filter, group which, means they, need a credit. Any credentials which, means they have to also have secured a password, so, we don't take that approach we. Only, deployed, GPO for, high, level settings which, there's. No way we're going to reverse.

Monitor. And log everything, even. If you're not going. To utilize the, day, immediately. You, will want it later. There. Are many other services. Besides. Compute. Engine, which, can enhance directory. Services, in the cloud. So. You will want this historical. Data when, you're building out tools and applications on, cloud on Google platform. Automate. Your domain controller buildin I already. Mentioned this one it's. Worth repeating. Ensure. Your build process for, domain controllers, is, efficient. And you're able to quickly add capacity, domain. Controllers are in a different category, of, course services, than regular applications, the domain controllers need to be there before. The applications, need to consume, it another, thing is is a. Be of, you, who are very familiar it's, extremely, chatty wait. Until you put it in the cloud when. Teams. Are auto-scaling, they're spinning up thousand, instances at a time pulling, them down ATS. Going to be chatty ER so, being, able to add capacity, really quick is important, last, thing I'll leave you with at. Capital, One we do not troubleshoot, isolated. In, domain. Controller issues, in the cloud we, will give it one we reboot, if that, issue, persists, domain. Controller comes out we, bring another one in thank, you guys for sitting, listening to me thank you said. That. Was actually a very very interesting, set of you know experiences, you heard Capital One talk about how they're running Active, Directory in production, on GCP with, a fairly large size that the. Two angles in particular, that stood out for me was one, is even when you're looking to run something like Active Directory which is a very core Windows, Server workload trying, to do LDAP by, leveraging cloud DNS, and cloud load balancing, was interesting to see how they designed the LDAP load balancer, that's, definitely something things, like this is you heard an explore of moving to the cloud are interesting, ideas to try to try the. Second was the message that we, were left with which is you should go ahead and look to automate, your domain controller creation. The domain controller build process and that's, actually a great point and I'm excited, to call upon Ben who's gonna come in and share with us more, about what is it that alphabet, does when it also deploys domain, controllers, in production, and how is it that you have automated DC Bell welcome. Ben, hi. As, I mentioned a bit ago I work on Google's M&A infrastructure, services team I work. With a group of talented systems, administrators, in Colorado, and California that, built and operate, the project that I'm going to be talking about today. One.

Of The things that our team does is to build and maintain core, IT infrastructure. For an array of acquisitions. And partnerships, to. Make this happen we rely heavily on code and automation our. Project, gecko, is code, driven managed, IT infrastructure, for alphabet, entities and acquisitions. Deployed. In Google Cloud the, problem that we set out to solve was consistent, management of many unrelated, Active. Directory domains, rather than a single, large forest, as Kenny was describing. With. A fairly small team we managed services, like Active Directory DNS. DHCP. NPS. And radius, for, many small to medium sized environments. In. Order to accomplish this we put, tremendous focus on using the DevOps approach of infrastructure, as code using. Code and automation to deploy and, maintain these. Environments, and minimizing. Manual changes. So. I'd like to share some of the keen design, goals that informed, the design of gecko and. I'd propose that these are goals that most of you would share if you're bill hangout domain infrastructure, and Google cloud I'll, give you some examples of how we got to where we are but just understand, there are many other ways to achieve the same goals so. Let me break each one of these down. First. It's important, to limit access to the GCP projects, to contain your domain infrastructure. Protecting. Your domain controllers from malicious or accidental, action is critical to the security of these environments, so, we build domain infrastructure, and isolated, GCP projects, having. Ownership or instance admin, roles in GCE, means, having tremendous power, over the instances that run in those projects. For. Example depending. On your iam roles in the project you can create or delete instances, you can access. Their logs create, new Windows accounts, and change, passwords, on those machines. So. We use role accounts and custom iam grants, to give just the access needed to resources in our projects, we, only allow folks that are domain admins in the environment, to become instance, admins, in the projects, that they run in. We. Carefully consider the consequences of granting even lesser access, to compute resources and the projects that contain these domain controllers. Approach. Every cloud I am grant by asking, yourself can you can, someone use this. Access. To escalate, their privileges in the domain will.

This Grant let someone modify. Instances, metadata. Or access. Sensitive, logs so. Ok now we built our domain controllers, in an isolated project, fantastic. They're running perfectly, smoothly nothing's, going wrong they're under glass and nobody, can talk to them so, what do we do next. First. We use instance, tags to, define VPC, firewall, rules that control they'll control, the flow of network traffic within. Our project this ensures that we know where all of our traffic is coming from and where it is going to, once. These rules are in place we can establish network, connections to our customers. Cloud. And on-premise. We. One hour an infrastructure, to be available and performant, so we do a couple of things we. Co-locate our instances, in the same GCP zones that our customer, projects, run in and then, we use cloud VPC, peering to, create fast, or connections, between the virtual private cloud, networks, of these, projects. Finally. We interact with on Prem networks via cloud VPN, again placing our compute instances, in cloud regions that are close to those networks. Our. Next design goal was to automate provisioning. And to implement source controlled, configuration, management, infrastructure. Is code is is key to scaling IT as a service but we're not just concerned with shaving, down provisioning, time by. Centralizing, our code and config in source, repositories. We can force all changes, to go through peer review and a, suite of tests with. Sufficient, proof provisioning. And configuration, automation, you might choose to build new instances, rather than applying updates, to existing ones, as Kenny described, you, can bring new instances online and ensure they are operating correctly before bringing, your existing, capacity offline. And. With gecko our instance provisioning, automation, is built around getting our configuration management, in place as early and as possible, and making, sure that it stays in control so. We automate deployment, of new domain controllers, and other instance types using, a couple of stages. So. For the first stage of our instance, build we, take advantage of the suspect. Stage of Windows installation to. Inject our build artifacts, onto the machine this, is possible thanks to the GCE agent that runs in, the stock GCE image that we build our instances, from it. Will look for a script configured, in the project, or instance metadata and then it will run that script all. We're doing in this initial stage is to download build, artifacts from a canonical source, so. Here I've highlighted a very short PowerShell, script where. I'm storing that, I'm storing as a value in a hash table and when I pass the hash table to the command look below the key value pairs in the hash table become, instance, metadata so. When I provision. The machine the GCE agent, will go looking for the specialized, script in metadata and upon, finding it it will execute it as. I said all this particular script is is doing is copying instance build artifacts from GCS, now. I could instead be using a git repository or. I could be using a package repository, or something, else the, important, thing is that all of the build artifacts that I'm using are, coming from a vetted, source everything. I'm using to build this instance should be centrally, stored everything.

That I'm using to build this instance should be peer-reviewed. Or should be built by something that was itself, peer-reviewed. After. The sysprep specialized, stage completes, in the instance reboots, our, second, stage script is triggered this, script will install, configuration, management prerequisites. Initialize. The configuration, management system and then, Shepherd it through its first run of config management, to make sure that it completes, successfully for. Our domain controllers, we use PowerShell, desired, state configuration as our, configuration management, system. So. Here I've given you an example of, the DSC configuration, required to create a brand-new domain controller on a Windows Server core machine that's. Really, about it the, windows feature DSC, resource ensures, that the ad, domain services, feature is installed and the, X ad domain resource handles, the creation, of the domain in. A production environment you're going to see a lot of additional code and configuration, to handle things like credential. Management, and testing and other things that are specific, to your environment but this really is all there is to creating a new domain using PowerShell DSC. Speaking. Of credential management, the final thing I wanted to touch on was protecting. Your secrets building. Domain infrastructure, necessitates, handling, some very important credentials, including those needed to create a new domain controller, or our. New, domain entirely. Everyone. At some point is going to be tempted to put a password in the script we've. All been around the block don't do it don't, use plain text don't just use obfuscation, rot13, is, not encryption. Really. Encrypt your secrets, store. Them in a place where you will have an audit trail every, time they are accessed, have. Sufficient, logging in place to know when those credentials are used anywhere. In your environment so, there are a lot of ways to protect your credentials but I wanted to show you a pretty simple example that's, enabled by cloud key management service or cloud kms. Cloud. Kms allows you to encrypt and decrypt secrets, based on cloud iam access, grants so, I can have one set of accounts that has permissions, just to encrypt secrets and then I can have another set of accounts that just has permission to decrypt secrets. Here. I'm using a very simple g-cloud, command to encrypt a plaintext string and store, the results in a file then, I'm uploading that file to Google Cloud Storage and, when I need to use this very secure password to join my domain controller to my, domain the. Code can retrieve the encrypted file from GCS, decrypt. The secret and inject, it into my configuration, management without the, plaintext password, ever landing on disk. Now. We could if, you imagine just take things a step further and, build, a process where no human ever has to know what certain passwords, are so, you can imagine having a process to generate a new random, password, as part of an automated provisioning process, so. Let's, say that I have a password for a break glass administrative, account the, right service account in the right place will be able to access the secret in order to set the password for the break glass account but, no human will ever have to know what this is if. On-call, uses, cloud, KMS to decrypt the secret I'll know, about it thanks to my audit logs and the, same process can be triggered again to automatically, rotate the password. So. In summary when, building domain infrastructure, and GCP you, should carefully consider these, aspects, of your design, limiting. Access to just word is needed and isolating, your domain infrastructure. Automating. Your provisioning, and deployment and, using configuration, management and protecting.

Your Critical secrets thank, you very much I'll hand the rest of the time back to Sid. Thank. You Ben so much for joining, us the two key takeaways, I think from this segment for me where one, is like sort of an operational, step-by-step. Of how can you actually automate, BC build using, tooling, which is hopefully familiar to a lot of you have been working with IDI for a while second. Was you saw Ben talk about what's a good way to go ahead and protect secrets in the cloud in this case for the Active Directory use case but using cloud kms, and GCS. During the encrypted secret, it's something you can extend for other applications, you do with GC p2, as. We go into the sort of final section of the talk I wanted to go ahead and touch upon and bring together some of these best practices, to, solve it 50 not a complete list you've heard some very great pearls of wisdom from, both Ben and Kenny but, thought I'd leave you with a few things to keep in mind as you, start thinking about running Active, Directory or, extending. It to Google Cloud. The. First set of things is around Active, Directory design, so, one of the things you should think about as you move to cloud is there, is no reason to not be high, available. So, for domain controllers, always, have at least 2 DC's one in each zone. Second. When you think about your Active, Directory site, topology, you. Have two options one is you can pick a simple option which is you create a single, Active Directory site for all of GCP and using. The power of our multi regional VPC, effectively. Able to have that work well it's a quick way to get started. Second. You heard Kenny described especially, as you move towards more performant, applications to. Have one, site per region and what, this will do is for, any of the applications, or servers you have running in that region they will always go to the fat closest, domain controller and still see low latencies. In. Terms, of connectivity back to on-premises, there's networking, options cloud, VPN, cloud interconnect, you're welcome to go study those more and see which one works well for you that's, because a lot of Active Directory operations. Require. Non internet, like private network line-of-sight, connectivity, between domain, controllers, as many of you are probably aware. The. Last part is for any applications. Or servers you choose to move to GCP and you do have one or more ad sites on DCP, placing. Them in the same Active Directory site, will, lead to the right type of things happening which should keep your DNS and AD operations, working, well finding, the closest TC. From. A operations. And security angle a few things to keep in mind one. Is there's obviously, a plethora of choices when you come to cloud for running compute you ever see one to make just like you would if you were purchasing hardware to. Run your domain controllers make the right type of choices. Preemptable. VMs may be cool but probably not a good idea fronting, ad domain controllers, you. Wanna think about static, IPs and things like that in. Terms of G cpi-m permissions, you saw that. Being something we covered in the last two case studies but I did want to hone in the point here's. Something to keep in mind if. You have a, domain. Controller running in a VM on compute. Anybody. Who has compute, instance, admin on that DCP project, can, go right click reset, windows password. And effectively, elevate, themselves to a domain admin now. Just like you wouldn't very loosely put your Active Directory on-premises.

Domain Controllers, in physical, environments, you didn't fully trust when, it comes to managing it in the cloud especially, in DCP you want to be mindful of which, type of I am permissions, you have on those projects, in. Particular, anybody, with set, I am policy, is able to set iron permissions, on that GCP project, and give, themselves or other variety, of I am roles so it's generally, a good hygiene to keep in mind but especially when you're running domain controllers, be mindful of that. Second. We have a resource hierarchy, within GCP which is beyond the scope of this talk today but, to give you an idea you can have projects, which are inside of folders which, are inside of organizations and, so, there is an inheritance, model of iron permissions there too so I see several of you nodding I won't go into more detail but something, to study and keep in mind as you're thinking of running ad. Lastly. If you wish to have more isolation, for ad you can always set up a bastion active, directory project it is more things that you'd have to configure but did won't you don't that is an option for high-security cases. You, can then still use VPC, peering and shared VP C's to, have all your domain controllers in that project but have your servers. And applications and, other projects, that can still reach those domain controllers. Lastly. There, is a session later this week I have a link in a couple of slides which, will talk about how you can use hardened, security, on Google cloud platform for, all of your sensitive or closed including ad so, I encourage you to find out more about that and look to leverage that. So. Fall of this is sounding interesting, to you and you wanna get started I wanted to do leave you with just a few quick slides of examples. Of things you can do one. Is we have a Google cloud solution, that talks you through step by step how you can get your highly, available Active, Directory domain, up on GCP and have. A slide with all the links in a minute if you want to take a photo of that, second. This you can also choose to extend an existing ad domain onto GCP so there's a whitepaper phase, 3 of the swipe paper talks about Active Directory considerations. There. Is a click to deploy if you wanted to go ahead and just get a any domain spun up and start playing with an experimenting, with that we have that something you can go ahead and love, and. A, lot of what you've heard today is focused around two themes one is having high available, multi-regional. Active Directory on GCP and B, has been around, specifically. Automating, domain controller. Creation. And so for that I'm actually excited. To share with you what I Toby has done so I do peer I topia, excuse me as a partner who we've been working with for the last several months they. Have a very, interesting set of things they're announcing right now at next in particular, the ability to extend an existing Active. Directory domain, and the. Ability to have multiple sites, one, site per region similar, to how you heard Kenny advice and talk about how they're doing it in Capital One they, have a boot down below if you want to go and get automated, support for everything that you've heard about today encourage. You to go check them out. So. Here are some links if you wanted to go back and play with that one order thank you all for coming and please. Let us know if there's more we can do in GCP to help support these use cases thank, you so much. You.

2018-08-02 03:24

Show Video


Great talk! But is that a stain on Siddarth's shirt?

Other news