Men-deploy Microsoft AD Terkelola dengan akses lintas-project menggunakan peering domain
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Topik ini menunjukkan cara mengonfigurasi peering domain antara Layanan Terkelola untuk Microsoft Active Directory (Microsoft AD Terkelola) dan VPC Bersama. Dengan demikian, Anda dapat menyediakan Managed Microsoft AD untuk project layanan yang dilampirkan ke VPC Bersama.
Ringkasan
Peering domain di Managed Microsoft AD membuat resource peering domain di setiap project resource domain dan resource VPC. Domain Microsoft AD Terkelola dapat disediakan untuk semua project yang dilampirkan ke VPC Bersama dengan membuat peering domain antara Microsoft AD Terkelola dan VPC Bersama. Misalnya, Anda dapat mengautentikasi dan login ke SQL Server menggunakan domain Microsoft AD Terkelola, dengan SQL Server dan Microsoft AD Terkelola berada di project layanan yang berbeda yang dilampirkan ke VPC Bersama.
Sebelum memulai
Sebelum memulai, lakukan hal berikut:
Di konsol Google Cloud, pada halaman pemilih project, pilih atau buat tiga Google Cloud project. Keduanya disebut project host dan project layanan. Project host adalah tempat VPC Bersama diaktifkan. Domain Microsoft AD Terkelola dan instance Cloud SQL harus berada di project layanan yang berbeda. VM dapat berada di salah satu project layanan.
Aktifkan VPC Bersama di project host. Untuk mengetahui informasi selengkapnya, lihat Mengaktifkan project host.
Lampirkan project layanan ke jaringan VPC Bersama. Setiap project harus mengaktifkan Compute Engine API. Untuk tujuan contoh ini, sebaiknya buat subnet terpisah di VPC Bersama. Saat melampirkan project, pilih subnet yang sesuai untuk setiap project. Untuk mengetahui informasi selengkapnya, lihat Melampirkan project layanan.
Buat domain Microsoft AD Terkelola di project layanan. Jaringan VPC yang diotorisasi saat membuat domain Microsoft AD Terkelola tidak bergantung pada jaringan VPC Bersama. Untuk membuat Managed Microsoft AD domain tanpa jaringan yang diotorisasi, gunakan perintah gcloud CLI.
Mengonfigurasi peering domain
Buat peering domain dari project layanan yang memiliki resource domain ke jaringan VPC Bersama. Untuk mengetahui informasi selengkapnya tentang peering domain, lihat Mengonfigurasi peering domain.
PEERING-RESOURCE-NAME: Nama untuk resource peering domain Anda (seperti my-domain-peering).
DOMAIN-RESOURCE-NAME: Nama resource lengkap domain
Managed Microsoft AD Anda, dalam bentuk:
projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.
SHARED-VPC-NAME: Nama resource lengkap jaringan VPC Bersama Anda, dalam bentuk:
projects/PROJECT-ID/global/networks/NETWORK-NAME.
VPC-RESOURCE-PROJECT-ID: Project ID project host yang menghosting VPC Bersama.
Cantumkan peering domain lagi untuk memverifikasi statusnya. Jalankan perintah gcloud CLI berikut:
gcloud active-directory peerings list --project=PROJECT_ID
Ganti PROJECT_ID dengan project ID project layanan yang digunakan untuk membuat resource peering domain Anda.
Fungsi ini menampilkan status sebagai CONNECTED dari project host dan layanan.
Mengonfigurasi instance Cloud SQL (SQL Server)
Buat instance Cloud SQL (SQL Server) di project layanan dengan mengaktifkan IP Pribadi dan pilih jaringan VPC Bersama. Untuk mengetahui informasi selengkapnya, lihat Membuat instance dengan Autentikasi Windows.
Setelah peering domain selesai, ubah konfigurasi Cloud SQL (SQL Server) untuk menggunakan Managed Microsoft AD domain Anda untuk autentikasi. Jalankan perintah gcloud CLI berikut:
INSTANCE-NAME: Nama instance Cloud SQL Anda di project layanan.
DOMAIN-RESOURCE-NAME: Nama resource lengkap domain AD Microsoft Terkelola yang ingin Anda gunakan untuk autentikasi. Format nama lengkap resource:
projects/PROJECT-ID/locations/global/domains/DOMAIN-NAME.
SQL Server kini dikonfigurasi dengan autentikasi Windows yang diaktifkan.
Menguji penyiapan
Buat VM Windows atau Linux di project layanan. Saat membuat VM, pilih VPC Bersama dan subnet yang dibagikan di VPC Bersama dengan project layanan ini.
Gabungkan VM ke domain. Untuk mengetahui informasi selengkapnya tentang cara bergabung ke VM Windows ke domain, lihat Menggabungkan VM Windows ke domain.
Anda telah melakukan peering domain untuk domain Microsoft AD Terkelola dengan host VPC Bersama dan membuat SQL Server di VPC Bersama. Dengan peering domain ini, autentikasi Windows lintas project diaktifkan untuk SQL Server.
Meskipun dalam skenario di atas, Microsoft AD Terkelola dan SQL Server berada dalam project layanan yang berbeda, mengonfigurasinya dalam project layanan yang sama juga didukung.
Atau, Anda juga dapat memiliki domain Microsoft AD Terkelola di project host. Dalam hal ini, VPC Bersama perlu ditambahkan sebagai jaringan yang diizinkan ke domain Managed Microsoft AD. Untuk mengetahui informasi selengkapnya, lihat Menambahkan jaringan yang diizinkan ke domain yang ada.
Dalam semua skenario ini melalui peering dengan VPC Bersama, domain tersedia untuk project layanan yang dilampirkan ke VPC Bersama.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-11 UTC."],[],[],null,["# Deploy Managed Microsoft AD with cross-project access using domain peering\n\nThis topic shows you how to configure domain peering between Managed Service for Microsoft Active Directory (Managed Microsoft AD) and Shared VPC. This allows you to make Managed Microsoft AD available to service projects attached to Shared VPC.\n\nOverview\n--------\n\n[Domain peering](/managed-microsoft-ad/docs/domain-peering) in Managed Microsoft AD creates a domain peering resource in each domain resource and VPC resource projects. Managed Microsoft AD domain can be made available to all the projects attached to the Shared VPC by creating a domain peering between Managed Microsoft AD and Shared VPC. For example, you can authenticate and login to SQL Server using Managed Microsoft AD domain, where SQL Server and Managed Microsoft AD are in different service projects that are attached to the Shared VPC.\n\nBefore you begin\n----------------\n\nBefore you begin, do the following:\n\n1. In the Google Cloud console, on the project selector page, select or create three Google Cloud projects. They are called host and service projects. The host project is where the Shared VPC is enabled. Managed Microsoft AD domain and Cloud SQL instances must reside in different service projects. The VMs could reside in one of the service projects.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n2. Enable billing for your Cloud project(s). For more information, see [Check if billing is enabled on a project](/billing/docs/how-to/modify-project#confirm_billing_is_enabled_on_a_project).\n\n3. Enable Shared VPC on the host project. For more information, see [Enable a host project](/vpc/docs/provisioning-shared-vpc#enable-shared-vpc-host).\n\n4. Attach the service project(s) to the Shared VPC network. Each of the projects need to have Compute Engine API enabled. For the purpose of this example, we recommend creating separate subnets in the Shared VPC. While attaching the project, choose the appropriate subnet for each of the project(s). For more information, see [Attach service projects](/vpc/docs/provisioning-shared-vpc#create-shared).\n\n5. [Create a Managed Microsoft AD domain](/managed-microsoft-ad/docs/create-domain) in the service project. The VPC network authorized while creating the Managed Microsoft AD domain is independent of the Shared VPC networks. To create a Managed Microsoft AD domain without an authorized network, use the gcloud CLI command.\n\nConfigure domain peering\n------------------------\n\n1. Create domain peering from the service project having the domain resource to the Shared VPC network. For more information about domain peering, see [Configure domain peering](/managed-microsoft-ad/docs/quickstart-domain-peering#configure_domain_peering).\n\n ```\n gcloud active-directory peerings create PEERING-RESOURCE-NAME \\\n --domain=DOMAIN-RESOURCE-NAME \\\n --authorized-network=SHARED-VPC-NAME\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePEERING-RESOURCE-NAME\u003c/var\u003e: A name for your domain peering resource (such as `my-domain-peering`).\n - \u003cvar translate=\"no\"\u003eDOMAIN-RESOURCE-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Managed Microsoft AD domain, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/locations/global/domains/`\u003cvar translate=\"no\"\u003eDOMAIN-NAME\u003c/var\u003e.\n - \u003cvar translate=\"no\"\u003eSHARED-VPC-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Shared VPC network, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/global/networks/`\u003cvar translate=\"no\"\u003eNETWORK-NAME\u003c/var\u003e.\n2. List the domain peerings to verify the state. Run the following gcloud CLI command:\n\n ```\n gcloud active-directory peerings list --project=PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID of the service project that is used to create your domain peering resource.\n\n It returns the state as `DISCONNECTED`.\n3. Create the reverse domain peering from the host project.\n\n ```\n gcloud active-directory peerings create PEERING-RESOURCE-NAME \\\n --domain=DOMAIN-RESOURCE-NAME \\\n --authorized-network=SHARED-VPC-NAME \\\n --project=VPC-RESOURCE-PROJECT-ID\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePEERING-RESOURCE-NAME\u003c/var\u003e: A name for your domain peering resource (such as `my-domain-peering`).\n - \u003cvar translate=\"no\"\u003eDOMAIN-RESOURCE-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Managed Microsoft AD domain, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/locations/global/domains/`\u003cvar translate=\"no\"\u003eDOMAIN-NAME\u003c/var\u003e.\n - \u003cvar translate=\"no\"\u003eSHARED-VPC-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Shared VPC network, in the form of: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/global/networks/`\u003cvar translate=\"no\"\u003eNETWORK-NAME\u003c/var\u003e.\n - \u003cvar translate=\"no\"\u003eVPC-RESOURCE-PROJECT-ID\u003c/var\u003e: The project ID of the host project that is hosting the Shared VPC.\n4. List the domain peerings again to verify the state. Run the following gcloud CLI command:\n\n ```\n gcloud active-directory peerings list --project=PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the project ID of the service project that is used to create your domain peering resource.\n\n It returns the state as `CONNECTED` from both the host and service projects.\n\nConfigure the Cloud SQL (SQL Server) instance\n---------------------------------------------\n\n1. Create the Cloud SQL (SQL Server) instance in the service project with Private IP enabled and select the network of the Shared VPC. For more information, see [Create an instance with Windows Authentication](/sql/docs/sqlserver/configure-ad#creating-an-instance-with-windows-authentication).\n\n2. After the domain peering is complete, modify the Cloud SQL (SQL Server) configuration to use your Managed Microsoft AD domain for authentication. Run the following gcloud CLI command:\n\n ```\n gcloud beta sql instances patch INSTANCE-NAME \\\n --active-directory-domain=DOMAIN-RESOURCE-NAME\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eINSTANCE-NAME\u003c/var\u003e: The name of your Cloud SQL instance in the service project.\n - \u003cvar translate=\"no\"\u003eDOMAIN-RESOURCE-NAME\u003c/var\u003e: The [full resource name](/iam/docs/full-resource-names) of your Managed Microsoft AD domain that you want to use for authentication. Full resource name format: `projects/`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`/locations/global/domains/`\u003cvar translate=\"no\"\u003eDOMAIN-NAME\u003c/var\u003e.\n\n For more information, see [Enable cross-project Windows authentication](/sql/docs/sqlserver/configure-ad#enable-cross-project-auth).\n\nThe SQL Server is now configured with Windows authentication enabled.\n\nTest the setup\n--------------\n\n1. Create a Windows or Linux VM in the service project. While creating the VM, select the Shared VPC and the subnet which is shared in the Shared VPC with this service project.\n2. Join the VM to a domain. For more information about joining a Windows VM to a domain, see [Join a Windows VM to a domain](/managed-microsoft-ad/docs/quickstart-domain-join-windows).\n3. Create a SQL Server login based on a Windows user or group. For more information, see [Connect to an instance with a user](/sql/docs/sqlserver/configure-ad#connecting-to-an-instance-with-a-user).\n4. Connect using the SQL Server's instance DNS name. For more information, see Step 2 in [Connect to an instance with a user](/sql/docs/sqlserver/configure-ad#connecting-to-an-instance-with-a-user).\n\nSummary\n-------\n\nYou have domain peered a Managed Microsoft AD domain with the Shared VPC host and created SQL Server on the Shared VPC. With this domain peering, cross-project Windows authentication is enabled for SQL Server.\n\nWhile in the above scenario Managed Microsoft AD and SQL Server are in different service projects, configuring them in the same service project is also supported.\n\nAlternatively, you can also have the Managed Microsoft AD domain in the host project. In this case, Shared VPC needs to be added as an authorized network to the Managed Microsoft AD domain. For more information, see [Adding authorized networks to an existing domain](/managed-microsoft-ad/docs/managing-authorized-networks#adding_authorized_networks_to_an_existing_domain).\n\nIn all these scenarios through peering with Shared VPC, the domain is available to the service project(s) attached to the Shared VPC."]]
