Remotely joining VM instances to Active Directory using IAP Desktop 2.31
The first thing we often do after creating a new Windows VM on Google Cloud is join the VM to Active Directory. Typically, this entails the following steps:
- Generate Windows credentials
- Log on by using RDP
- Initiate the domain join
- Log on again with a domain user and delete the local admin account created in (1)
This process is tedious. And if we forget to perform step (4), we’re also leaving an enabled local administrator account behind.
One way to make domain joining less painful is to automate it. But that requires a bit of setup work, so it might not be suitable for all projects.
Another way is to use IAP Desktop’s new Join to Active Directory feature which we can find in the context menu of the Project Explorer window:
This feature doesn’t require any prerequisites on the VM and works for both Managed Microsoft AD domains and self-managed domains (assuming we’ve set up Cloud DNS properly).
Google Cloud doesn’t provide a way to remotely execute commands on VM instances, so the feature works by using a temporary startup script:
- After gathering user input, IAP Desktop temporarily replaces the VM’s startup script and restarts the VM. This causes the VM to run the temporary startup script.
- The script generates an RSA key pair and passes the public key back to IAP Desktop (via the COM4 serial port).
- IAP Desktop uses the RSA public key to encrypt the domain user credentials. It then creates a metadata entry to pass the encrypted credentials, along with other parameters such as the domain name, to the VM.
- The VM reads the encrypted credentials from its metadata and decrypts them using its RSA private key. Then, the script initiates the domain join and reports the results back to IAP Desktop (again via the COM4 serial port).
- Finally, IAP Desktop restores the original startup scripts (if any).
The following sequence diagram shows the process in more detail:
Release 2.31 includes some additional new features, including:
- Starting/stopping VMs: It’s not possible to start, stop, suspend or resume VM instances from within the Project Explorer window.
- Add/unload projects: Instead of adding and unloading projects one-by-one, it’s not possible to add or unload them in bulk.
You can find the source code and all releases of IAP Desktop on the project’s GitHub page.