[THEME MUSIC PLAYING]..SIDDHARTH BHAI: Hey everyone..Welcome..Thank you for coming..Good to see we have.nobody napping yet..I know it's an hour.or so after lunch..So thanks so much.for staying awake..To get you a little.bit warmed up..I thought I'd ask you.a quick show of hands..How many of you are familiar.with Active Directory?.All right, great, so you're.in the right session..Good to know..That's pretty much.all of the room..And for the three people who.maybe didn't raise their hands,.it's OK..There is many resources.you can go check out later..The other question,.how many of you.have had some experience.with Google Cloud Platform,.getting a VM up,.creating a network.and doing some basic.infrastructure as a service?.OK, so this is probably.about half the room..And pretty much everyone.has experience with AD..That's great..So you're in the right session..We're going to be.talking about how.you can extend your on-premises.Active Directory to Google.Cloud Platform..My name is Siddharth Bhai..I'm a product manager.with Google Cloud..I focus on problems that work.with identity and security..I'm really excited.to talk to you today,.and even more excited.to have with me two.very talented co-presenters...BENJAMIN MILLER: Hi.there, Ben Miller..I'm a systems.administrator with Google..I work on the Mergers and.Acquisitions Infrastructure.Services Team..KENNY HILL: How.are you guys doing?.I'm Kenny Hill..I'm with Capital One Identity.and Access Management..I focus on directories.in the cloud..SIDDHARTH BHAI: Great..So we'll go ahead.and get started..So what I thought I'd start.off with is honesty an apology..I'm sorry we're.not going to cover.the heated issue of.whether we should call it.on-premises, or on-premise,.or on-premise, or on-prem..We will take that away.to the evening hours..But two things in particular.I leave you with today..One is, as the show of.hands showed, a lot of you.do have Active.Directory deployed,.and so we understand that..And B is leave you with some.best practices and guidance.on how you can extend.your Active Directory.investments you have already.made onto the Google Cloud.Platform..So in particular, the.things we'll encounter is,.how is it that you can use your.on-premises Active Directory.where you do your.users and groups.management to get identity.and access management.configure on GCP?.We'll talk about some drivers.and architecture choices.for actually running.AD on GCP itself..After that, we'll have.two great case studies.coming up of actual experiences.of having run AD on GCP..And we'll round it off.with some best practices...So the first thing that.we're going to cover is,.how can you extend your.on-premises Active Directory.users and groups onto GCP for.identity and access management?.This is probably.the question I get.asked most often over the last.year or so because a lot of you.have put in that investment.to start working to have.Active Directory all set up..Auditors are happy..Internal security team has.signed off, which is great..And now you want to start.getting started with GCP..So can you leverage those.existing investments?.And the answer is yes..And I'll show you how.in the next two slides...What's coming up is probably.a fairly familiar typology.to a lot of you..You probably have.your users in groups.in your on-premises.Active Directory..They're sitting in your Active.Directory domain controllers..And then for a.variety of reasons,.several customers have.either EDFS, or PING,.or [? Octar, ?] any of these.other federation products.supply it, so you can take.those on-premises users.and get single sign-on to.a variety of other relying.parties or applications..And so the question is, when.the application is Google Cloud.Platform itself, how is it.that you can connect the two?.So a canonical use.case that comes up.as we often find that as.customers, maybe somebody gets.interested with.BigQuery and wants.to go ahead and set things up.so that a certain group of users.can go ahead and do.things with BigQuery..So the way that you do in GCP.is via rule-based authorization..So if you were BigQuery.admin, you could then go ahead.and essentially do a variety.of things with BigQuery..So how do you set it up?..I have this slide coming up..I'll let you soak.it in for a second..It's Google Cloud identity.There's a lot of.things on this slide..And it's a full identity.as-a-service product..I won't be going too.deep into it today,.but I did want you to.know it has identity,.it has policies, a very strong.support for device management..But there's two.features in particular,.which is all we need for.the question we set it out.to answer..And those two features.are A, it allows.you to sync your users and.groups from on-premises Active.Directory onto a Google.Cloud Identity domain..B, you can set up your.Google Cloud identity domain.to indicate that you'd like the.authentication of those users.to happen with your on-premises.federation end point..And by going ahead and.using these two features,.you can have your users and.groups from on-premises Active.Directory be used for BigQuery.or any other IM in GCP...So let's go ahead and take.a look at that in this demo..OK, so as that screen comes.up, what you're looking at.should seem pretty.familiar to a lot of you.since you're experienced.with Active Directory..This is the Active Directory.Administrative Center..And for the--.OK-- purpose of the demo, I need.to go ahead and re-establish.my RDP..As it comes up,.what you'll see is.I have a Active Directory.Administrative Center open.in the on-premises environment...Great..So this should look familiar..It is your on-premises.Active Directory..I have created an OU in here for.GCP which is currently black..So I'll go ahead and run a.simple PowerShell script...And what the script has done is.it's gone ahead and pre-created.for you some users and groups..So as I refresh,.I have three users.in my on-premises Active.Directory, Alice, Bob.and Charlie..And I have a group,.GCP Security Admins,.which has Alice and.Bob as its members..So this is what we have set.up in your on-premises AD,.probably simulates a lot of.deployments you have today..I'll now go ahead.and switch onto a VM.where I have Google Cloud.directory sync set up..So what this is doing is it'll.go ahead and take the users.from that OU and groups and.sync it up to a Google Cloud.identity domain..So one thing I should.call out is a lot of you,.if you've been using GCP,.G Suite in particular.for a while, you may be.familiar of a term Google.domain, which is the same thing.as a Google Cloud identity.domain..So I'll go ahead.and sync these up..What this is doing it that's now.pushing those users and groups.into Google..So I'll switch my screens..And what you are now looking.at is the Admin Console.for Google Cloud identity..So I refresh my screen..The three users we just.created, Alice, Bob and Charlie,.are now available in the.Google Cloud identity domain...And as I go to the group's.UI, you'll see the group..GCP Security Admin is.also available here..So I'll go ahead.and take this group,.and it's now all come up from.your on-premises AD into GCP..So what's next?.Now, let's go back to the.thing we were trying to do..To do that, I'll.apply this group..You're now looking at the.IM page of a GCP project..And I'll go ahead.and add a role..I'll give the users of this.particular group, which we just.synced them from you on-premises.AD, the role of BigQuery admin..And so as I go.ahead and hit Save,.you now see that this.group has BigQuery admin.IM on this project..Now, the interesting thing here.as we come back to our slides.is effectively that you.have this set of groups--.these set of users.who can be added.in a lot of you.on-premises AD group.and have the access changes.reflected back on GCP IM.without needing to go ahead.and do anything special.into this IM page..So as we come back to our slides.please, what you will notice.is we will have two.additional items coming up.onto this IM policy that I.just showed you pretty soon...One is you will be able to.say that allow of these users.to only have access for.a specific time window..So the one at the top is.the policy we just set up..But down below is a.special expression.that will allow you to.essentially have your group.sync ahead of time and say.only for that hour, or only.for that month are those.users allowed to have access..And second is you'll be.able to further restrict it.based on the source IPs.that they're actually.connecting from..So that's the first part.of the session where.we saw how you can.use it on-premises AD,.extend it onto GCP,.and use that for IM..And this is where we come to.an interesting transition..And it's a slightly tricky point.to make, so I need your help..Everything we looked at so far.was having your on-premises.AD, extend it on to GCP.without requiring VPN.by syncing your users and.groups into your GCP domain..What we now go.and take a look at.is if you are.trying to run Active.Directory or.AD-related apps on GCP,.how do you go ahead and do that?.And for this, we do not.need Cloud identity or a VPN.to be set up for the things.we're going to talk about next..So that's something...So a lot of times when you need.Active Directory in the cloud.is if you were thinking.of a migration project..So go ahead and soak in.that visual for a second,.and I'll talk through it...So what you're seeing is you.have an application that's.talking to your.on-premises Active.Directory over a set of.Active Directory protocols..Now, what are the cases when.you may need Active Directory.as you think of moving this.app or this server onto GCP?.So one very common.use case is if you.have gone ahead.and domain-joined.these applications onto.Google Cloud Platform--.onto Active Directory,.and you want to run them.on Google Cloud Platform..So in that case,.you're looking for AD..In other cases, if the app does.LDAP, or Kerberos, or Windows.Integrated Auth, it's looking.for a domain controller..The next set of.things is if the app.has logic for.retrieving things that.are stored in Active.Directory itself,.most often it's.group-based membership when.the application houses.authorization logic in itself..Another time is if you had.used an AD client-side library..For instance, you.had a .NET-based app..And if that was.making any calls over.to System.DirectoryServices,.it would look.to find a domain controller..And the last bit is, when.you do go ahead and have.your application.migrated to the cloud,.you have a choice to make,.which is do you still.want your on-premise network.to be on the critical path.for each application.authentication look up?.Or would you rather.have it scale in cloud,.have low latency,.and have the cloud.application be independently.and highly available..So how is it that these.choices end up manifesting.your architecture options?.Let's take a look..First thing you can do in any.of these cases is the simplest,.just go ahead and set up your.VPN or a Cloud Interconnect.and have your Active Directory.continue to recite on-premises..And so this way,.it's pretty quick.to configure but you have.higher latency for all.your applications..Every single request.is going back.to your on-premises network..So what do you do?.Second option you have.is you can go ahead.and choose to deploy.read-only domain.controllers onto Google Cloud..Now, the advantage.in this case is.it's a read-only replica.of Active Directory..But those are you who.have worked with it.for a while would.probably know that there.are certain operations that are.still being chained or referred.back to your full domain.controllers, which in this case.would reside on-premises..So you're absolutely going back.to your on-premises network.for getting those done..In terms of a.positive, this does not.bring in everybody's credentials.onto any cloud deployments..So you can have no.users' passwords.in the cloud by.default. Some of you.may like that from a.security perspective..However, it also lets.you only have replicated.in a certain set.of users' passwords.into that cloud AD deployment..On the other hand, the.biggest challenge with RODCs.is there's application.compatibility.things you should think about..So if you go in Google for.RODC application compatibility,.the first link gives.you a list of apps.that support RODCs or not..So that's something.to factor in..The next option is to go ahead.and deploy your writeable.or regular domain.controllers into cloud..And in this case, you obviously.have your Active Directory data.available entirely on GCP..It's low latency because.your application is then.going for all operations to.the ADDC you just apply there..However, the thing to.keep in mind in both this.as well as the.previous configure.is if you have multiple.Active Directory domains,.you may end up needing to deploy.domain controllers for each.of those domains into cloud..So if you had a merger.and acquisition use case.or for any other reasons had.three or four AD domains,.[INAUDIBLE] multiple domain.controllers from each of those.domains..So to get around that,.another thing you can do.is set up a new Active.Directory domain on Google Cloud.Platform, use the Active.Directory trust relationship.model to establish a trust.with your on-premise AD..And this does work well.because you effectively.are able to have three or four.different AD domains where.our users are having.their credentials stored.and authentication happening..However, all your resources.and applications, which.are running in the.cloud, can join.or just work against the Active.Directory domain which is now.hosted fully within Cloud..Another thing you.could think about when.you think of moving to the cloud.and having a hybrid deployment.is to consider having a disaster.recovery site on Google Cloud.Platform..And so the numbers you're.seeing on the right.effectively show an example.of AD site replication.costs, which you could utilize.to go ahead and have things set.up so that your users and.applications on-premises.are usually not reaching.back to the cloud..And only in the.event of a failover.will they come in and.use the cloud DCs..So these are five options you.have in terms of architecture..And by this point,.you're probably.wondering, which of these makes.sense for your specific use.case?.Now, to help answer.that, I'm really.excited to share with you.the highlight of our segment.today, which is the.Ben & Kenny experience..They'll come up.and share with you.what is it that worked.for them as they.look to have AD running on GCP..KENNY HILL: Hi again, guys..First, I want to.thank Sid, I want.to thank Ben for allowing.me to come up here and share.a little bit about Capital One's.Google Cloud Active Directory.journey..Hopefully there's time.at the end for questions..If not, feel free to connect..Always really.excited to hear what.others are doing in the.identity and directory.space in the cloud..See the question up on.the board-- or screen..Why extend Active.Directory to Google Cloud?.There are many reasons..The main driver for us.is resiliency and speed..Let me explain a little.bit of what that means.and some of the design.inputs that went.into some of our decisions...There are four main areas.we focus on with our domain.controller design..First one, security..I'm going to gloss.over that and skip it..Not enough time for me.to really dive deep..Ben is going to share.some security practices..Next area for us.is directory size..Since going on on.the cloud, we've.had exponential growth.in our directories,.running at a 38 and 60 gigabit..NTDS did have about 2.5 million.objects in each directory,.between 100,000, 150,000.both users and group objects...Understanding.directory size, there's.many reasons for our growth..One of the main ones.that I'm excited about.is the development we've had on.Cloud Platform of applications.requiring role-based access..We've also taken the.concept of tags from cloud,.and we're writing more.data into our directory..This is allows us to correlate.Active Directory objects.with Cloud things utilizing.our provisioning system...Next, there is a resiliency..The next is speed..As I was doing the.slides for this,.I realized same inputs.really went into both of them.to ensure Active.Directory authentication.and authorization.is always available..Doesn't matter if it's a.federated SAML authentication,.a Windows authentication, LDAP.Application bind, a database.authentication, the.directory needs to be there..Same holds true when your.domain-joining infrastructure,.and it wants to scale..So the directory.needs to be there..So for us, going down.Interconnect or VPN, that.wasn't really an.option as we want to,.no matter the situation, ensure.that we can scale applications...To create a seamless.experience for applications.when switching projects.in regions, a developer,.application team, DevOps team,.no matter what you call them,.they should not need to know.anything about AD sites,.maintain different URL mappings..We even have application.teams that they don't even.know it's Active.Directory on the backend..When they need help, they.ask where's the LDAP team?..To provide the fastest.domain-join directory.replication and LDAP.experience possible..A key way to be.successful in this bullet.is to keeping your.traffic on Google Cloud..I'm not going to give.exact time test metrics..You guys, I highly recommend.testing this yourself...In a world where every.millisecond counts.it is important to.ensure that traffic.stays on the most optimal path...And this is probably one.of the biggest reasons.we build domain controllers.on Compute Engine,.to quickly rehydrate and be.able to increase AD capacity..At Capital One, we.rebuild all infrastructure.every 45 to 60 days maximum..Domain controllers are no.exception to that rule..They get rebuilt. We.call this rehydrate..So we are constantly rebuilding.our domain controllers..That's why directory.size is up there..You need to understand.your build times..It's important to.know exactly how.long it's going to take to.build domain controllers..Even if using the.install for media file,.which you back up the AD.database or SYSVOL you.import it..If you have quite a.few objects, the domain.promote process is still.going to do a checksum--.I don't know the correct term.for it-- but of every object..And that's where the.lag's going to happen..So understanding your.directory size and the speed.that you can build.domain controllers is.going to help you determine is.your directory's small enough?.Are you able to auto scale?.If so, I'm jealous..Or are you going to.have to run it, monitor.it a little bit over your.monitoring high peaks,.meaning you're running a little.bit over capacity at all times,.or do you keep a reserve pool of.live domain controllers running.on smaller instances.in a reserved AD site.and utilize scaling.technology to bring them.in and out as you need them?..Next, I'm going to show you a.few of the high-level design.decisions..In a traditional.AD site typology,.for on-premise you'd.usually have a single AD.site or two per data center..Each of these AD.sites is usually.going to have some sort.of single point of failure.if it's power, network,.shared storage,.or other infrastructure...In our Google Cloud.model, we utilize--.we put domain.controllers in every zone.available in each.region we deploy..This is essentially.treating the whole region.as a single AD site...This provides a more.resilient typology..In the on-premise model it's.hard to test if you can-- you.manage your sites and.services, and your cost,.and you for the.next closest site,.and there can be errors in it..You can shut down network to a.data center, and you can say--.and you can know that.everything's authenticated.and authorization's.occurring, but do you.know exactly where.all that's going?.In this model in the.cloud, you know it's just.staying in the same site...This also ensures that any.applications that utilize DC.locator process are going.to pick domain controller.in the AD site, in.region, staying on Google.Cloud as their primary..For applications that.cannot utilize DC locator,.we utilize an LDAP.load balancer...Our configuration for load.balancer LDAP secure 636, GCS.global catalog secure 3269.coming into the load balancer..This ensures that all traffic.outside of the project.is secure..We then terminate at the load.balancer to regular 3893268.and point at domain controllers.across multiple zones...Realize global catalog.secure port for applications.which chase referrals..Many Java-based applications.chase referrals..And sometimes you have COTS.products deployed which you.cannot disable in...If you're not familiar.with chase referrals,.it's when you point an.application to a domain.controller, and instead.of utilizing that domain.controller, it pulls.back all the A records.and randomizes.them per the client.and then just.picks a random one..If you utilize.global catalog port,.it disables referral chasing...We're predominantly.a Linux shop,.which does not have DC.locator process by default.without third-party products..There are also many applications.which are not AD site aware,.they cannot utilize.a load balancer,.or even some of the horrible.applications that you have.to point directly to.a domain controller..An example of one of.those applications.you'd point directly.at a domain controller.is something that.needs to read and write.almost simultaneously,.like your identity.and lifecycle management.application or provisioning.application where if it doesn't.read and write at the same one,.you could have collisions..We utilize a root DSE.query, so LDAPS route.DSE query to the load balancer.returning the DNS hostname..The applications.can utilize this..They can put it in.a script or a job.and ensure their configuration.is always pointing.at a live domain controller..Even if we're rebuilding.or rehydrating.our domain controllers, if.they have this job set up,.they'll know they always have.a live domain controller...As I mentioned, it is.extremely important.to ensure we are replicating.Active Directory data.as fast as possible.in this model..If we were to fail.to another region,.applications need to be able.to read the same data that they.read in one region.in another one..Also allows us to.more effectively get.to adjust in-time.access model and enhance.our privileged access.password rotation...The legacy replication strategy.was designed more than 18 years.ago when network was slow.and also very expensive..We choose to utilize a full.mass replication with change.notification strategy...Change notification treats.replication on the site link.same as it would in our site..Though the diagram.I'm showing up there,.we are replicating from.site to site on-premise.to all of our Google regions..And then we do,.as fast as we can,.replication between the sites...To close out, a couple.more lessons that we've.learned along the way..Limit your use of.group policy objects..There are many more.cloud-friendly configuration.management solutions out there..Ben's going to actually show you.one that's available for free.that works..You can also utilize-- you.can also harden your image,.stack all your configuration.settings in your image..And that's another approach..Managing group policy deviations.and exceptions in a cloud model.is not operationally efficient.for the directory support.teams or the application teams..The application teams are.going to need to script.moving the objects or adding to.a security filter group, which.means they need credentials,.which means they have.to also have secure a password..So we don't take that.approach, we only.deploy GPO for high-level.settings, which there's.no way we're going to reverse...Monitor and log everything..Even if you're not going to.utilize the data immediately,.you will want it later...There are many other services.besides Compute Engine.which can enhance directory.services in the cloud..So you will want.this historical data.when you're building out tools.and applications on Google.Cloud Platform...Automate your domain.controller build..I already mentioned this one..It's worth repeating...Ensure your build process.for domain controllers.is efficient, and you're.able to quickly add capacity..Domain controllers are.in a different category.of core services than.regular applications..The domain controllers.need to be there.before the applications.need to consume it..Another thing is AD, of.you who are very familiar,.It's extremely chatty..Wait until you put.it in the cloud..When teens are auto-scaling.they're spinning up.1,000 instances at a.time, pulling them down,.AD's to be chattier..So being able to add capacity.really quick is important..Last thing I'll leave you with..At Capital One, we do not.troubleshoot isolated domain.controller issues in the cloud..We will give it one reboot..If that issue persists,.domain controller comes out,.we bring another one in..Thank you guys for sitting.and listening to me..Thank you, Sid..[APPLAUSE]..SIDDHARTH BHAI:.That was actually.a very, very interesting.set of experiences.that you heard Capital.One talk about how they're.running Active Directory.in production on GCP.with a fairly large size..The two angles in particular.that stood out for me was one.is, even when you are.looking to run something.like Active Directory, which.is a very core Windows Server.workload trying to do LDAP, by.leveraging Cloud DNS and Cloud.load balancing, it.was interesting to see.how they designed the.LDAP load balancer..That's definitely.something-- things like this.as you go out and explore.of moving to the cloud are.interesting ideas to try..The second was the.message that we.were left with which is,.you should go ahead and look.to automate your domain.controller creation,.the domain controller.build process..And that's actually.a great point..And I'm excited to.call upon Ben who.is going to come in and share.with us more about what is it.that Alphabet does when.it also deploys domain.controllers in production..And how is it that you've.automated DC Build..Welcome Ben..BENJAMIN MILLER: Hi..As I mentioned a bit ago, I work.on Google's M&A Infrastructure.Services Team..I work with a group.of talented systems.administrators in.Colorado and California.that built and operate.the project that I'm going.to be talking about today...One of the things.that our team does.is to build and maintain.core it infrastructure.for an array of acquisitions.and partnerships..To make this happen, we rely.heavily on code and automation..Our project, GECCO,.is code-driven managed.IT infrastructure for Alphabet.entities and acquisitions.deployed in Google Cloud..The problem that.we set out to solve.was consistent management of.many unrelated Active Directory.domains rather than.a single large forest.as Kenny was describing..With a fairly small.team, we manage.services like Active.Directory, DNS, DHTP, MPS,.and Radius for many small to.medium-sized environments..In order to.accomplish this, we've.put tremendous focus on.using the DevOps approach.of infrastructure as code..Using code and automation.to deploy and maintain.these environments and.minimizing manual changes..So I'd like to share some.of the key design goals that.informed the design of GECCO..And I propose that these.are goals that most of you.would share if you were.building out domain.infrastructure in Google Cloud..I'll give you some.examples of how.we got to where we are,.but just understand.there are many other ways.to achieve the same goals..So let me break each.one of these down..First, it's important.to limit access.to the GCP products that contain.your domain infrastructure..Protecting your.domain controllers.from malicious or.accidental action.is critical to the security.of these environments..So we build domain.infrastructure.in isolated GCP projects..Having ownership or.instance admin roles in GCE.means having tremendous.power over the instances that.run in those projects..For example, depending on.your IAM roles in the project,.you can create or.delete instances,.you can access their logs,.create new Windows accounts,.and change passwords.on those machines..So we as role accounts.and custom IAM.grants to give just.the access needed.to resources in our projects..We only allow folks.that are domain admins.in the environment to become.instance admins in the projects.that they run in..We carefully consider.the consequences.of granting even lesser.access to compute resources.in the projects that contain.these domain controllers..Approach every Cloud IAM grant.by asking yourself, can you--.can someone use this access.to escalate their privileges.in the domain?.Will this grant let someone.modify instances, metadata,.or access sensitive logs?.So now, we built our domain.controllers in an isolated.project, fantastic..They're running.perfectly, smoothly..Nothing's is going wrong,.they're under glass,.and nobody can talk to them..So what do we do next?.First, we use instance tags to.define VPC firewall rules that.control the flow of network.traffic within our project..This ensures that we know.where all of our traffic.is coming from and.where it is going to..Once these rules.are in place, we.can establish.network connections.to our customers' cloud.and on-prem environments..We want our infrastructure to.be available and performant,.so we do a couple of things..We co-locate our instances.in the same GCP zones.that our customer.projects run in..And then we use.Cloud VPC Peering.to create fast.network connections.between the virtual.private cloud.networks of these projects..Finally, we interact with.on-prem networks via cloud VPN,.again, placing our compute.instances in cloud regions that.are close to those network...Our next design goal was.to automate provisioning.and to implement.source-controlled configuration.management..Infrastructure as code is key.to scaling IT as a service..But we're not just.concerned with shaving down.provisioning time..By centralizing our code,.and config, and source.repositories, we can.force all changes.to go through peer review.and a suite of tests..And with sufficient provisioning.and configuration automation,.you might choose to build.new instances rather.than applying updates.to existing ones,.as Kenny described..You can bring new.instances online.and ensure they are operating.correctly before bringing.your existing capacity offline..And with GECCO, our instance.provisioning automation.is built around getting our.configuration management.in place as early as.possible and making sure.that it stays in control..So we automate deployment.of new domain controllers.and other instance types.using a couple of stages..So for the first stage.of our instance build,.we take advantage of.the CIS prep specialized.stage of Windows installation.to inject our build artifacts.onto the machine..This is possible.thanks to the GCE agent.that runs in this.stock GCE image.that we build our instance from..It will look for a script.configured in the project.or instance metadata, and.then it will run that script..All we are doing in.this initial stage.is to download build artifacts.from a canonical source..So here I've highlighted a.very short PowerShell script.where I'm storing--.that I'm storing as a.value in a hash table..And when I pass that hash.table to the command below,.the key value pairs in the hash.table become instance metadata..So when I provisioned.the machine,.the GCE agent will go looking.for the specialized script.and metadata..And upon finding it,.it will execute it..As I said, all this.particular script.is doing is copying instance.build artifacts from GCS..Now, I could, instead of.using a Git repository,.or I could be using a package.repository, or something else..The important thing.is that all of the.build artifacts.that I'm using are.coming from a vetted source..Everything I'm using.to build this instance.should be centrally stored..Everything that I'm using.to build this instance.should be peer.reviewed or should.be built by something that.was itself peer reviewed...After the CIS prep.specialized stage completes.and the instance reboots,.our second stage script.is triggered..Now, this script will install.configuration management.prerequisites, initialize.the configuration management.system, and then shepherd.it through its first run.of config management.to make sure.that it completes successfully..For our domain controllers, we.use PowerShell Desired State.Configuration as our.configuration management.system..So here I've given.you an example.of the DSC.configuration required.to create a brand new domain.controller on a Windows Server.Core machine..That's really about it..The WindowsFeature DSC resource.ensures that the AD Domain.Services feature is installed.and the XAD domain resource.handles the creation.of the domain..In a production.environment, you're.going to see a lot of additional.code and configuration.to handle things like credential.management, and testing,.and other things that are.specifically our environment..But this really is all there is.to creating a new domain using.PowerShell DSC...Speaking of.credential management,.the final thing I.wanted to touch on.was protecting your secrets..Building domain.infrastructure necessitates.handling some very important.credentials, including.those you needed to create.a new domain controller,.or a new domain entirely..Everyone at some point.is going to be tempted.to put a password in a script..We've all been around.the block, don't do it..Don't use plain text..Don't just use obfuscation..Rot13 is not encryption..[LAUGHTER].Really encrypt your secrets..Store them in a place where.you will have an audit trail.every time they are accessed..And have sufficient.logging in place.to know when those.credentials are used anywhere.in your environment..So there are a lot of ways.to protect your credentials,.but I wanted to show you a.pretty simple example that's.enabled by Cloud Key Management.Service, or Cloud KMS...Cloud KMS allows you to.encrypt and decrypt secrets.based on Cloud.IAM access grants..So, I can have one.set of accounts.that has permissions.just to encrypt secrets,.and then I can have another.set of accounts that just has.permission to decrypt secrets..Here I'm using a very.simple gcloud command.to encrypt a plain.text string and store.the results in a file..Then I'm uploading that file.to Google Cloud Storage..And when I need to use.this very secure password.to join my domain.controller to my domain,.the code can retrieve the.encrypted file from GCS,.decrypt the secret, and inject.it into my configuration.management without the plain.text password ever landing.on disk...Now, we could, if you imagine,.just take things a step further.and build a process.where no human ever.has to know what.certain passwords are..So you can imagine having.a process to generate.a new random password as part.of an automated provisioning.process..So let's say that I have a.password for a break glass.administrative account..The right service account.in the right place.will be able to access.this secret in order.to set the password for.the break glass account..But no human will ever.have to know what this is..If OnCall uses Cloud KMS.to decrypt the secret,.I'll know about it.thanks to my audit logs..And the same process.can be triggered again.to automatically.rotate the password...So in summary, when building.domain infrastructure in GCP,.you should carefully consider.these aspects of your design--.limiting access to.just where it is needed.and isolating your.domain infrastructure,.automating your.provisioning and deployment.and using configuration.management,.and protecting your.critical secrets..Thank you very much..I'll hand the rest of.the time back to Sid..[APPLAUSE]..SIDDHARTH BHAI: Thank you.Ben so much for joining us..The two key takeaways I.think from this segment.for me were, one is like.an operational step-by-step.of how can you.actually automate DC.build using tooling,.which is hopefully.familiar to a lot.of you who have been.working with AD for a while..Second was you saw Ben talk.about what's a good way.to go ahead and protect secrets.in the cloud in this case,.for the Active.Directory use case,.but using Cloud KMS and GCS.during the encrypted secret,.it's something you can extend.for other applications you.do with GCP, too..As we go into this final.section of the talk,.I wanted to go ahead and.touch upon and bring together.some of these best practices..This is obviously.not a complete list..You've heard some very.great pearls of wisdom.from both Ben and Kenny..But thought I'd leave.you with a few things.to keep in mind as.you start thinking.about running Active.Directory or extending it.to Google Cloud..The first set of things is.around Active Directory design..So one of the things.you should think about.as you move to cloud.is, there's no reason.to not be highly available..So for domain.controllers, always.have at least two.DCs, one in each zone..Second, when you think about.your Active Directory site.topology, you have two options..One is you can pick a.simple option, which.is you create a single Active.Directory site for all of GCP..And using the power of.our multi-regional VPC,.you're effectively able.to have that work well..It's a quick way to get started..Second, you heard Kenny.describe, especially as you.move towards more.performant applications,.to have one site per region..And what this will do is for any.of the applications or servers.you have running in that.region, they will always.go to the closest.domain controller.and you'll see low latencies..In terms of connectivity.back to on-premises.there's networking options,.Cloud VPN, Cloud Interconnect..You're welcome to.go study those more.and see which one.works well for you..That's because a lot of.Active Directory operations.require non-internet,.like private network,.line-of-sight connectivity.between domain controllers.as many of you are.probably aware..The last part is, for any.applications or servers.you choose to move.to GCP, and you.do have one or more AD.sites on GCP, placing them.in the same Active.Directory site.will lead to the.right type of things.happening, which should.keep your DNS and AD.operations working well,.finding the closest DC..For an operations.and security angle,.a few things to keep in mind..One is there's obviously.a plethora of choices.when you come to cloud.for running Compute..You obviously want to.make, just like you.would if you were.purchasing hardware,.to run your domain controllers.make the right type of choices..Preemptable VMs may be cool,.but probably not a good idea.for running AD.domain controllers..You want to think about static.IPs and things like that..In terms of GCP IM.permissions, you.saw that being something.we covered in last two case.studies, but I did want.to hone in the point..Here's something.to keep in mind..If you have a domain controller.running in a VM on Compute,.anybody who has Compute Instance.admin on that GCP project.can go right click,.reset Windows password,.and effectively elevate.themselves to a domain admin..Now just like you wouldn't.very loosely put your Active.Directory on-premises.domain controllers.in physical environments.you didn't fully trust,.when it comes to managing it in.the cloud, especially in GCP,.you want to be mindful of.which type of IM permissions.you have on those projects..In particular, anybody.with a set IM policy.is able to set IM permissions.on that GCP project.and give themselves or.other a variety of IM roles..So it's generally a good.hygiene to keep in mind,.but especially when you're.running domain controllers,.be mindful of that..Second, we have a.resource hierarchy.within GCP, which is beyond.the scope of this talk today..But to give you an.idea, you can have.projects, which are inside.of folders, which are inside.of organizations..And so there is a inheritance.model of IM permissions.there too..So I see several of you nodding..I won't go into more detail..But something to study.and keep in mind as you're.thinking of running AD..Lastly, if you wish to.have more isolation for AD,.you can always set up a Bastian.Active Directory Project..It is more things that.you'll have to configure,.but I did want you to know that.is an option for high security.cases..You can then still use VPC.Peering and shared VPCs.to have all your domain.controllers in that project,.but have your servers.and applications.and other projects.that can still.reach those domain controllers..Lastly, there is a.session later this week--.I have a link in a.couple of slides--.which we'll talk about how.you can use hardened security.on Google Cloud Platform for.all of your sensitive workloads,.including AD..So I encourage you to.find out more about that.and look to leverage that...So if all of this is.sounding interesting to you,.and you when it gets.started, I wanted.to leave you with just a.few quick slides of examples.of things you can do..One is we have a Google.Cloud solution that talks you.through step by.step how you can get.your highly available Active.Directory domain up on GCP..I have a slide with all.the links in a minute.if you want to take.a photo of that..Second is, you can also choose.to extend an existing AD.domain onto GCP..So there is a white paper..Phase three of this white paper.talks about Active Directory.considerations..There is a click to deploy..If you wanted to go ahead and.just get and AD domain spun up,.and start playing with it,.and experimenting with it,.we have that, something you.can go ahead and leverage..And a lot of what.you have heard today.is focused around two themes..One is having high available,.multi-regional Active Directory.on GCP..And B has been.around specifically.automating domain.controller creation..And so for that, I'm actually.very excited to share with you.what Itopia has done..So Itopia-- excuse.me-- is a partner who.we've been working with for.the last several months..They have a very.interesting set of things.they're announcing right.now at NEXT, in particular,.the ability to extend an.existing Active Directory.domain and the ability to.have multiple sites, one.site per region, similar to how.you heard Kenny advise and talk.about how they're doing.it in Capital One..They have a booth down below.if you want to go and get.automated support for everything.that you've heard about today..I encourage you to.go check them out..So here are some.links if you wanted.to go back and play with that..I wanted thank you.all for coming..And please let us.know if there's.more we can do in GCP to.help support these use cases..Thank you so much..[THEME MUSIC PLAYING]..