Google Managed Service for Microsoft Active Directory Reaches General Availability
Most Windows sysadmins will be familiar with Microsoft’s Azure Active Directory (AAD). AAD is an identity management product for cloud-based apps that optionally integrates with on-premises Windows Server Active Directory (AD).
Office 365 uses AAD for identity and authentication of users. But organizations can also leverage AAD for managing access to line-of-business cloud apps.
Azure Active Directory vs. Azure Active Directory Domain Services
AAD was developed specifically for cloud-first apps. It isn’t just a version of Windows Server AD that was lifted and shifted to Azure. If you want to run Windows Server AD in the cloud, you can either install Active Directory domain controllers (DC) in virtual machines (VM) or use Azure Active Directory Domain Services (AD DS).
Azure AD DS provides many of the features of on-premises AD in the cloud without you needing to manage VMs, Windows Server, and AD. Azure AD DS lets organizations shift apps that rely on Windows Server AD to the cloud. Azure AD DS is based on Windows Server AD, so it ensures compatibility for enterprise on-premises apps when they are moved to the cloud.
For more information on how to set up and configure Azure Active Directory Domain Services, check out How to Configure Azure Active Directory Domain Services – Part 1 and How to Configure Azure Active Directory Domain Services – Part 2 on Petri.
Google Managed Service for Microsoft Active Directory
Azure AD DS reached general availability in 2016. But now Google is stepping up its game. Google announced February 20th that it has released its own solution called Managed Service for Microsoft Active Directory (MSMAD).
Google says that its service is a ‘highly available, hardened service running actual Microsoft® Active Directory’. Much like Azure AD DS, MSMAD offers compatibility with AD-dependent applications.
Organizations can use MSMAD to ‘lift and shift’ on-premises apps to the cloud. Standard AD features, like Group Policy and the Remote Server Administration Tools (RSAT) can be used to manage domains.
As a managed service, MSMAD is virtually maintenance free. You don’t need to worry about patching Windows Server or managing virtual machines. Google says that MSMAD supports multi-region deployment.
You can choose to deploy the service in a specific region to service apps in the same or different regions. Alternatively, you can extend the service to additional regions and still use one managed AD domain.
Google says that organizations can connect on-premises AD to MSMAD or create standalone domains in the cloud. If you are deploying Windows VMs in Google Cloud, you can use MSMAD to automatically join them to AD and harden them using Group Policy.
Google Cloud vs Microsoft Azure for AD apps
Both Google MSMAD and Azure AD DS are managed services. So, there are some restrictions to what you can do when you connect to and manage Active Directory in the cloud.
Google Managed Service for Microsoft Active Directory restrictions
The FAQ section of Google’s documentation provides some information on the limitations of the service:
- No Domain Administrator or Enterprise Administrator rights.
- The default admin user has enough rights to perform important AD tasks, like creating users and groups.
- The default Cloud and Cloud Service Objects Organizational Units (OU) are the only ones that can be managed.
- There is no direct access to domain controller event logs.
- You cannot extend the Managed Microsoft AD schema. But Managed Microsoft AD can be used with an existing AD domain that has an extended schema.
Azure Active Directory Domain Services restrictions
The most notable restrictions of Azure AD DS are that LDAP binds can be read-only. LDAP cannot be used to write or modify the directory. LDAP is an open, industry-standard protocol used for accessing directory services on Internet Protocol (IP) networks.
Additionally, schema extensions are not supported. So, apps that rely on modifying the AD schema won’t work with Azure AD DS. Here is a list of privileges missing from Azure AD DS:
- Extend the schema of the managed domain.
- Connect to domain controllers for the managed domain using Remote Desktop.
- Add domain controllers to the managed domain.
- You don’t have Domain Administrator or Enterprise Administrator privileges for the managed domain.
Moving enterprise apps to Google Cloud just got easier
If you are already invested in Google Cloud and have apps that rely on AD, then Managed Service for Microsoft Active Directory is a welcome addition to Google’s cloud lineup. MSMAD will make it simpler for enterprises to move more apps to Google Cloud. And it will make apps easier to manage than ever before.
For more detailed information on how to work with Managed Service for Microsoft AD, check out Google’s documentation here.