Connect to Managed Service for Microsoft Active Directory
Stay organized with collections
Save and categorize content based on your preferences.
This page provides instructions for how to connect to Managed Service for Microsoft Active Directory.
NetApp Volumes supports Managed Microsoft AD.
Managed Microsoft AD uses private services access to connect to consumer
projects, similar to NetApp Volumes. Private services access
uses Virtual Private Cloud (VPC) peering, which blocks transitive traffic between
VPCs. NetApp Volumes can't communicate with
Managed Microsoft AD through a consumer VPC, so you
need a domain peering to
establish this connection.
Use the following instructions to establish a domain peering:
Identify the project name of the NetApp Volumes tenant project
that owns your NetApp Volumes resources:
gcloud compute networks peerings list --project=project_owning_NetAppVolumes --flatten=peerings --filter="peerings.name=sn-netapp-prod"
The PEER_PROJECT parameter shows the name of the NetApp Volumes
tenant project. The PEER_NETWORK parameter shows the tenant project VPC
name, which should be netapp-prod-network.
Follow the instructions in
Configure domain peering
to create a domain peering from Managed Microsoft AD to
NetApp Volumes, using the tenant project ID and network you
identified from the previous step.
Note that you can only establish the peering from the domain resource project
to the NetApp Volumes tenant project. The reverse peering
from the VPC resource project
(NetApp Volumes tenant project) to the domain resource project
requires a support case with
Google Cloud Customer Care.
Open a support case with
Google Cloud Customer Care to establish
the reverse peering from NetApp Volumes to Managed Microsoft AD.
Provide the output of the following command to Google Cloud Customer Care to
identify which peering to accept.
gcloud active-directory peerings list --project=project_owning_ManagedAD
After Google Cloud Customer Care establishes the two-way peering, the status of
your peering shows CONNECTED. Verify the peering status:
gcloud active-directory peerings list --project=project_owning_ManagedAD
Create an Active Directory policy
in the same region where you plan to create volumes using Managed Microsoft AD.
You need to specify the following parameters:
DNS servers IP address:
For the Flex service level, use 169.254.169.254 for the DNS servers IP
address in the policy.
For Standard, Premium, and Extreme service levels, follow the
instructions in Using IP address for DNS resolution.
You will use the entry point IP addresses created by Cloud DNS in
your Active Directory policy.
Organizational Unit (OU): Managed Microsoft AD puts all objects
into OU=cloud by default. You need
to specify a correct organizational unit parameter for your environment.
For example, if you have a Windows domain called
engineering.example.com, the default organizational unit to
specify would be CN=Computers,OU=Cloud,DC=engineering,DC=example,DC=com.
Attach the Active Directory policy to the storage pool to be used.
For the Flex service level, test Active Directory policy connection by
creating a volume which uses the Active Directory.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Connect to Managed Service for Microsoft Active Directory\n\nThis page provides instructions for how to connect to Managed Service for Microsoft Active Directory.\n\nNetApp Volumes supports Managed Microsoft AD.\n\nManaged Microsoft AD uses private services access to connect to consumer\nprojects, similar to NetApp Volumes. Private services access\nuses Virtual Private Cloud (VPC) peering, which blocks transitive traffic between\nVPCs. NetApp Volumes can't communicate with\nManaged Microsoft AD through a consumer VPC, so you\nneed a [domain peering](/managed-microsoft-ad/docs/quickstart-domain-peering) to\nestablish this connection.\n\nBefore you begin\n----------------\n\nMake sure you meet the prerequisites mentioned in\n[Managed Microsoft AD - Before you begin](/managed-microsoft-ad/docs/quickstart-domain-peering#before-you-begin).\n\nEstablish a domain peering\n--------------------------\n\nUse the following instructions to establish a domain peering:\n\n1. Identify the project name of the NetApp Volumes tenant project\n that owns your NetApp Volumes resources:\n\n ```\n gcloud compute networks peerings list --project=project_owning_NetAppVolumes --flatten=peerings --filter=\"peerings.name=sn-netapp-prod\"\n ```\n\n The `PEER_PROJECT` parameter shows the name of the NetApp Volumes\n tenant project. The `PEER_NETWORK` parameter shows the tenant project VPC\n name, which should be *netapp-prod-network*.\n2. Follow the instructions in\n [Configure domain peering](/managed-microsoft-ad/docs/quickstart-domain-peering#configure_domain_peering)\n to create a domain peering from Managed Microsoft AD to\n NetApp Volumes, using the tenant project ID and network you\n identified from the previous step.\n\n Note that you can only establish the peering from the domain resource project\n to the NetApp Volumes tenant project. The reverse peering\n from the VPC resource project\n (NetApp Volumes tenant project) to the domain resource project\n requires a support case with\n [Google Cloud Customer Care](https://cloud.google.com/support-hub/).\n3. Open a support case with\n [Google Cloud Customer Care](https://cloud.google.com/support-hub/) to establish\n the reverse peering from NetApp Volumes to Managed Microsoft AD.\n Provide the output of the following command to Google Cloud Customer Care to\n identify which peering to accept.\n\n ```\n gcloud active-directory peerings list --project=project_owning_ManagedAD\n ```\n4. After Google Cloud Customer Care establishes the two-way peering, the status of\n your peering shows **CONNECTED**. Verify the peering status:\n\n ```\n gcloud active-directory peerings list --project=project_owning_ManagedAD\n ```\n5. [Create an Active Directory policy](/netapp/volumes/docs/configure-and-use/active-directory/create-ad-policy)\n in the same region where you plan to create volumes using Managed Microsoft AD.\n You need to specify the following parameters:\n\n - **DNS servers** IP address:\n\n - For the Flex service level, use `169.254.169.254` for the DNS servers IP\n address in the policy.\n\n - For Standard, Premium, and Extreme service levels, follow the\n instructions in [Using IP address for DNS resolution](/managed-microsoft-ad/docs/connect-to-active-directory-domain#using_ip_address_for_dns_resolution).\n You will use the entry point IP addresses created by Cloud DNS in\n your Active Directory policy.\n\n - **Organizational Unit** (OU): Managed Microsoft AD puts all objects\n into `OU=cloud` by [default](/managed-microsoft-ad/docs/objects). You need\n to specify a correct organizational unit parameter for your environment.\n For example, if you have a Windows domain called\n *engineering.example.com* , the default organizational unit to\n specify would be `CN=Computers,OU=Cloud,DC=engineering,DC=example,DC=com`.\n\n6. Attach the Active Directory policy to the storage pool to be used.\n\n For the Flex service level, test Active Directory policy connection by\n creating a volume which uses the Active Directory.\n\n For Standard, Premium, and Extreme service levels, test\n [Active Directory policy connection](/netapp/volumes/docs/configure-and-use/active-directory/test-ad-policy-connection)\n before creating a volume.\n\nWhat's next\n-----------\n\n[Manage customer-managed encryption key policies](/netapp/volumes/docs/configure-and-use/cmek/cmek-overview)."]]
