Configuring a Remote Desktop Deployment with Google Managed Service for Microsoft Active Directory

By Aaron Firouz

Microsoft Remote Desktop Services (RDS) requires the use of a Microsoft Active Directory (AD) domain. When creating a new deployment using itopia's Cloud Automation Stack (CAS), you can create or connect to an existing Active Directory domain, or create a new instance of Google Managed Service for Microsoft Active Directory (Managed Microsoft AD).

Managed Microsoft AD provides a simplified Active Directory administration experience by eliminating the need to manage domain controllers or their associated services, such as AD DNS.

With Managed Microsoft AD, a full Microsoft Active Directory instance is provisioned, configured, and updated by Google Cloud; your VMs use Google Cloud DNS to locate the Active Directory endpoints and connect to the domain controllers across your internal Virtual Private Cloud (VPC) network.

Benefits of Managed Microsoft AD

CVS supports volumes between 1TB and 100TB, with three performance tiers:

  • Standard:  Up to 4,000 IOPS and 16MB/s throughput per TB of storage. $0.10 per GB
  • Premium:  Up to 16,000 IOPS and 64MB/s throughput per TB of storage. $0.20 per GB
  • Extreme: Up to 32,000 IOPS and 128MB/s throughput per TB of storage. $0.30 per GB

Based on feedback and internal testing, the Standard tier should provide adequate performance for RDS user profiles (FSLogix Profile Containers), even when accessed from a GCP region on the other side of the United States.  For larger deployments (greater than 100 users), the Premium tier may be a better option. Performance tiers can be modified from within the GCP console; for most customers, we recommend starting with a lower tier and scaling up as necessary.


There is no cost in itopia CAS for Managed Microsoft AD. For information on the GCP pricing for the managed service, refer to Google Cloud's documentation.

Considerations When Using Managed Microsoft AD

Managed Microsoft AD has some important distinctions from a traditional, full Active Directory implementation. These differences and limitations are important to consider when planning your CAS deployment:

  • Managed Microsoft AD does not grant elevated permissions such as Domain Admins or Enterprise Admins membership. While equivalent permissions are provided for common administrative tasks such as managing users, groups, and Group Policy Objects, domain- and forest-level administrator permissions are not available for advanced configuration of the environment
  • Similarly, Managed Microsoft AD does not support schema extensions or modifications. Applications that require modifying the AD schema are not supported.
  • Additional domain controllers (DCs) cannot be manually provisioned for Managed Microsoft AD. Google Cloud ensures the AD domain is highly-available and provides sufficient compute capacity for AD services, but extending the domain by promoting additional DCs is not supported.
  • itopia CAS does not currently support integration with an existing Managed Microsoft AD instance; when selecting to configure a CAS deployment with Managed Microsoft AD, a new instance is provisioned. This functionality may be supported in a future release.
  • itopia CAS does not currently support multi-region deployments when using Managed Microsoft AD. This functionality may be supported in a future release.
  • itopia CAS will provision a bastion VM for performing administrative tasks within the Managed Microsoft AD environment. This VM is required to relay instructions (such as creating a new user or updating a group) from CAS to the Managed Microsoft AD instance.
  • During the Beta period, you can only add domain controllers to the following regions:
    us-west1; us-west2; us-central1; us-east1; us-east4; europe-north1; europe-west1; europe-west4; asia-east1; asia-southeast1

Configure a CAS Deployment with Managed Microsoft AD

To create a new deployment using Managed Microsoft AD, simply select the option "Google Managed Service for Microsoft Active Directory" in the Active Directory portion of the Deployment Configuration, and provide a DNS name for the Managed Microsoft AD domain; refer to Microsoft's naming conventions in Active Directory when choosing a name.


When your deployment is created, you'll notice the following differences from using a full Active Directory domain:

  • The CAS deployment will not include any domain controller VM instances
  • The CAS deployment will include a bastion VM instance, used for allowing communication from CAS to the Managed Microsoft AD environment
  • Within the Google Cloud project, the VPC network used for the CAS deployment will have a Service Networking peering for your Managed Microsoft AD instance, and several firewall rules will be created.
  • CAS service accounts (the itoadmin accounts) will have different elevated permissions to be compatible with Managed Microsoft AD. Additional information is available here: Service Accounts used by itopia CAS.

With these exceptions, CAS is configured identically to a full Active Directory deployment, and all CAS functionality is supported.


Interested in learning more about itopia's integration with Google Managed Service for Microsoft Active Directory? Schedule some time with a Solutions Expert here!


Tags: Product Updates, VDI & DaaS on GCP