Stay organized with collections
Save and categorize content based on your preferences.
This page describes how domain peering works in Managed Service for Microsoft Active Directory (Managed Microsoft AD).
Managed Microsoft AD offers highly available and
hardened Microsoft Active Directory domains hosted by Google Cloud. Authorized networks make Managed Microsoft AD available on your VPC in the domain resource project. Domain peering makes Managed Microsoft AD available to non-domain-resource projects, such as VPC resource projects, as well.
How domain peering works
Managed Microsoft AD creates a domain peering resource in both the domain
resource project and the VPC resource project. This ensures that
both projects have visibility to peering and appropriate operators have provided
their consent before networks are connected.
After you have successfully configured a domain peering, Managed Microsoft AD VPC peers with the VPC networks and creates a Cloud DNS peering zone to provide seamless domain
discovery.
How domain peering differs from authorized network
Managed Microsoft AD domain supports adding up to 5 authorized networks from the domain resource project. Additionally, domain
peering lets you add up to 10 networks to the Managed Microsoft AD domain from other projects.
With Managed Microsoft AD domain peering, the authorized network originates
from projects other than the domain resource project. This functionality
provides the flexibility of sharing a single Managed Microsoft AD domain with multiple projects
and networks outside the domain resource project. This makes it possible to
use different deployment models such as hub and spoke.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Domain peering overview\n\nThis page describes how domain peering works in Managed Service for Microsoft Active Directory (Managed Microsoft AD).\n\nManaged Microsoft AD offers highly available and\nhardened Microsoft Active Directory domains hosted by Google Cloud. Authorized networks make Managed Microsoft AD available on your VPC in the domain resource project. Domain peering makes Managed Microsoft AD available to non-domain-resource projects, such as VPC resource projects, as well.\n\nHow domain peering works\n------------------------\n\nManaged Microsoft AD creates a domain peering resource in both the domain\nresource project and the VPC resource project. This ensures that\nboth projects have visibility to peering and appropriate operators have provided\ntheir consent before networks are connected.\n\nAfter you have successfully configured a domain peering, Managed Microsoft AD VPC peers with the VPC networks and creates a Cloud DNS peering zone to provide seamless domain\ndiscovery.\n\nYou must configure domain peering only after you [create the domain](/managed-microsoft-ad/docs/create-domain). If a domain\nalready exists, you must\n[configure peering for both projects](/managed-microsoft-ad/docs/quickstart-domain-peering).\n| **Note:** When you configure multiple domain peerings with the same domain, VPC networks can communicate with domain controllers over the peered connection but can't communicate with each other. If there is a need for VPC networks to communicate with each other, you need to create a separate peering since VPC peerings are non-transitive.\n\nHow domain peering differs from authorized network\n--------------------------------------------------\n\nManaged Microsoft AD domain supports adding up to 5 authorized networks from the domain resource project. Additionally, domain\npeering lets you add up to 10 networks to the Managed Microsoft AD domain from other projects.\n\nWith Managed Microsoft AD domain peering, the authorized network originates\nfrom projects other than the domain resource project. This functionality\nprovides the flexibility of sharing a single Managed Microsoft AD domain with multiple projects\nand networks outside the domain resource project. This makes it possible to\nuse different deployment models such as hub and spoke.\n\nWhat's next\n-----------\n\n- [Create a domain](/managed-microsoft-ad/docs/quickstart-create-domain)\n- [Configure domain peering](/managed-microsoft-ad/docs/quickstart-domain-peering)"]]
