Managed Service for Microsoft Active Directory (Managed Microsoft AD) is a Google Cloud service that offers highly available, hardened Microsoft Active Directory running on Windows virtual machines. We recently added on-demand backup and schema extension capabilities that can help Google Cloud users more easily and effectively manage AD tasks.

Managed Microsoft AD is a fully managed service with automated AD server updates, maintenance, and security configuration, and needs no hardware management or patching. The service is constantly evolving, adding new capabilities to effectively manage your cloud-based, AD-dependent workloads. Here’s a closer look at the benefits for Google Cloud users of the new on-demand backup and schema extension capabilities.

Flexibility to manage your AD domain with on-demand backup and restore

Managed Microsoft AD already offers scheduled backups which are taken automatically every 12 hours. Now with on-demand backup and restore, customers will have the ability to create checkpoints (snapshots) at any point in time and restore back to that state when needed. The new on-demand backup and restore functionality is now generally available in addition to the scheduled backups. This functionality can provide flexibility for customers to initiate backup and recovery based on their unique needs. Here are two scenarios where on-demand backup and recovery can be used:

  • Critical domain changes now can be done anytime without aligning to the next backup schedule.
  • Users can restore to a point back in time from backups without having to raise a support request.

With this release, users can create up to five on-demand backups. Managed Microsoft AD APIs also offer management functionalities for backups that includes listing of all backups (both on-demand and scheduled,) restoring to a selected backup, updating labels, and deleting a backup. All these capabilities help users to effectively manage their backup administrative tasks.

Power application integrations with Schema Extension support

Note: Schema Extension feature is in public preview and covered by the Pre-GA Offerings Terms of the Google Cloud Terms of Service.

Active Directory (AD) relies on schema to organize and store the directory data. The AD schema contains a formal definition of every attribute and class that can exist in an Active Directory object. When you create a Managed Microsoft AD instance, it creates a default schema on the domain controller as well. However, there can be a situation where you want to customize the classes or attributes. Such a need arises when you have applications that require new types of information to be stored in Active Directory (e.g., to support single sign-on capabilities). Managed Microsoft AD now supports schema extension and enables modification of the existing schema to customize attributes via API using an LDAP Data Interchange Format (LDIF) file. The following LDIF change types are supported: add, modify, modrdn and moddn. It is generally recommended to do a domain backup before schema changes are applied. To simplify this, Managed Microsoft AD initiates a backup every time schema changes are triggered. This schema extension support enables additional context for users and for integrating with applications that are dependent on specific classes or attributes.

Use case: Schema extension for LAPS

You can store and rotate the local account passwords of domain-joined computers in AD using Local Administrator Password Solution (LAPS), a Microsoft tool for password management. Any device that LAPS is deployed to can randomize the local administrator password, store that password in Active Directory, and then change that password on a set schedule. For LAPS to work with Active Directory, it needs the schema to be extended for storing the required attributes. For this use case, we assume that you have already installed LAPS and have your Managed Microsoft AD up and running.

LAPS requires the following two additional attributes:

  1. ms-Mcs-AdmPwd – This attribute stores the local administrator password
  2. ms-Mcs-AdmPwdExpirationTime – This attribute stores the expiration time of administrator password

Let’s now look at how to add the required attributes using the Managed Microsoft AD schema extension feature.

Step 1: Prepare an LDIF file to add ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime attributes.

 

dn: CN=ms-Mcs-AdmPwd,CN=Schema,CN=Configuration,dc=example,dc=com
changetype: add
objectClass: attributeSchema
ldapDisplayName: ms-Mcs-AdmPwd
adminDisplayName: ms-Mcs-AdmPwd
adminDescription: LAPS Password
attributeId: 1.2.840.113556.8000.9999.2.2
attributeSyntax: 2.5.5.5
oMSyntax: 19
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 904
schemaIdGuid:: 64e85e0a-f479-4206-880d-ecbf73e2babb


dn: CN=ms-Mcs-AdmPwdExpirationTime,CN=Schema,CN=Configuration,dc=example,dc=com
changetype: Add
objectClass: attributeSchema
ldapDisplayName: ms-Mcs-AdmPwdExpirationTime
adminDisplayName: ms-Mcs-AdmPwdExpirationTime
adminDescription: LAPS Password Expiration Time
attributeId: 1.2.840.113556.8000.9999.2.3
attributeSyntax: 2.5.5.6
oMSyntax: 65
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
schemaIdGuid:: b3fea135-c39a-4169-aec7-c618cc8cb6ff

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1

 

Step 2: Login as a delegated administrator to your VM hosted in Google Cloud that was domain-joined with Managed Microsoft AD.

Step 3: Extend the schema by running the following gCloud CLI command:

 

gcloud beta active-directory domains extend-schema DOMAIN_NAME  --ldif-file=LDIF_FILE_PATH --description=”Sample description” --project=PROJECT_ID

 

Managed Microsoft AD creates a backup automatically when you initiate schema extension. You can use this backup to perform an authoritative restore, which returns the domain to a previous point before addition of these attributes.

Step 4: To verify the schema changes, run the following command in Windows PowerShell:

 

get-adobject -Identity 'cn=ATTRIBUTE,cn=Schema,cn=Configuration,dc=example,dc=com -Properties *

 

The Managed Microsoft AD schema is now extended with the required attributes for configuring LAPS. You can now proceed with the rest of the LAPS setup as usual, including password settings, access permissions, and GPO configuration.

These new features make it now easier to integrate applications with your Managed Microsoft AD and provide flexibility for operations like backup and restore. Here are additional resources where you can learn more about Managed AD and these new features.

 

 

By: Muthuraj Thangavel (Senior Product Manager, Google Cloud)
Source: Google Cloud Blog

Previous Writing Your Own Scheduler With Kube-Scheduler-Simulator
Next Introducing Vertical Autoscaling In Streaming Dataflow Prime Jobs