Console
    Start free

    Configure domain peering

    This page shows you how to configure domain peering with Managed Service for Microsoft Active Directory (Managed Microsoft AD).

    Before you begin

    1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

      Roles required to select or create a project

      • Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
      • Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

      Go to project selector

    3. Verify that billing is enabled for your Google Cloud project .

    4. Enable the Managed Microsoft AD, Cloud DNS, and Compute Engine APIs.

      Roles required to enable APIs

      To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

      Enable the APIs

    5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

      Roles required to select or create a project

      • Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
      • Create a project : To create a project, you need the Project Creator role ( roles/resourcemanager.projectCreator ), which contains the resourcemanager.projects.create permission. Learn how to grant roles .

      Go to project selector

    6. Verify that billing is enabled for your Google Cloud project .

    7. Enable the Managed Microsoft AD, Cloud DNS, and Compute Engine APIs.

      Roles required to enable APIs

      To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

      Enable the APIs

    8. Create a Managed Microsoft AD domain in the domain resource project.
    9. Create a VPC network in the VPC resource project to which you want to peer your domain with.
    10. Make sure that the IP ranges assigned to Managed Microsoft AD and any authorized networks don't overlap.
    11. Make sure that you have any one of the following IAM roles:
      • Google Cloud Managed Identities Admin ( roles/managedidentities.admin )
      • Google Cloud Managed Identities Peering Admin ( roles/managedidentities.peeringAdmin )
    12. Optional: Check if you have the following IAM roles as well:
      • Google Cloud Managed Identities Viewer ( roles/managedidentities.viewer )
      • Compute Network User ( roles/compute.networkUser )
      • Compute Network Viewer ( roles/compute.networkViewer )

    Configure domain peering

    After you complete the prerequisites and gather your domain information, you can create the domain peering.

    Console

    To create a peering from the domain resource project, follow these steps:

    1. In the Google Cloud console, go to the Managed Microsoft ADpage.
      Go to Managed Microsoft AD
    2. Click the Peeringstab.
    3. On the Peeringspage, click Create peering.
    4. In the Namefield, enter a name for your peering resource.
    5. Select Domain.
    6. In the Select domain from this projectlist, select your Managed Microsoft AD domain.
    7. Enter the project ID or number that includes the VPC network you want to peer with.
    8. Enter the name of your VPC network.
    9. Optional: To add labels, expand the Labelssection. Click Add labels, and then enter the key-value pairs.
    10. Click Create.

    After the operation is complete, the Peeringspage lists the peering with status as Disconnected.

    To create a peering from the VPC resource project, follow these steps:

    1. In the Google Cloud console, go to the Managed Microsoft ADpage.
      Go to Managed Microsoft AD
    2. Click the Peeringstab.
    3. On the Peeringspage, click Create peering.
    4. In the Namefield, enter a name for your peering resource.
    5. Select Network.
    6. In the Select network from this projectlist, select your VPC network.
    7. Enter the project ID or number that includes your Managed Microsoft AD domain.
    8. Enter the name of your Managed Microsoft AD domain.
    9. Optional: To add labels, expand the Labelssection. Click Add labels, and then enter the key-value pairs.
    10. Click Create.

    After the operation is complete, the Peeringspage lists the peerings with status as Connectedon both the projects.

    gcloud

    Run the following gcloud CLI command.

    gcloud active-directory peerings create PEERING_RESOURCE_NAME 
\
  --domain= DOMAIN_NAME 
\
  --authorized-network= VPC_NETWORK_NAME

    Replace the following:

    • PEERING_RESOURCE_NAME : a name for your domain peering resource (such as my-domain-peering ).
    • DOMAIN_NAME : a full resource name for your Managed Microsoft AD domain, in the form of: projects/ PROJECT_ID /locations/global/domains/ DOMAIN_NAME .
    • VPC_NETWORK_NAME : a full resource name for your VPC network, in the form of: projects/ PROJECT_ID /global/networks/ NETWORK_NAME .

    You receive the following response that indicates domain peering creation has started:

    Create request issued for: PEERING_RESOURCE_NAME 
Waiting for operation-1842751234221-5857b78a1a49e-02bc63a3-77e5c7ee 
to complete...

    After the operation is complete, configure domain peering in the VPC resource project. Run the following gcloud CLI command.

    gcloud active-directory peerings create PEERING_RESOURCE_NAME 
\
  --domain= DOMAIN_NAME 
\
  --authorized-network= VPC_NETWORK_NAME 
\
  --project= VPC_RESOURCE_PROJECT_ID

    Replace the following:

    • PEERING_RESOURCE_NAME : a name for your domain peering resource (such as my-domain-peering ).
    • DOMAIN_NAME : a full resource name for your Managed Microsoft AD domain, in the form of: projects/ PROJECT_ID /locations/global/domains/ DOMAIN_NAME .
    • VPC_NETWORK_NAME : a full resource name for your VPC network, in the form of: projects/ PROJECT_ID /global/networks/ NETWORK_NAME .
    • VPC_RESOURCE_PROJECT_ID : the project ID of the VPC network project that is hosting the VPC.

    You receive the following response that indicates domain peering creation has started:

    Create request issued for: PEERING_RESOURCE_NAME 
Waiting for operation-1842751821453-5857b78a1a49e-02bc63a3-77e5c7ee 
to complete...

    This operation can take up to 15 mins to complete. You can repeat the process to create multiple domain peerings in a project. However, you can peer up to 10 VPC networks with a Managed Microsoft AD domain.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: