Skip to content
IAM Day by Day

Google Workspace Directory (GCDS) Architecture

The Sovereign Bridge of Hybrid Identity

Section titled “The Sovereign Bridge of Hybrid Identity”

The Google Workspace Directory is the “Sovereign Bridge” that connects your on-premise infrastructure to the Google Cloud. For most large organizations, Active Directory (AD) remains the “System of Record.” Google Cloud Directory Sync (GCDS) is the architectural engine that ensures your Google directory remains a faithful, real-time reflection of that AD master. GCDS is not a simple “copy-paste” tool; it is a sophisticated synchronization engine that handles user attributes, group memberships, shared contacts, and password hashes. For the IAM architect, GCDS is the critical component for establishing Administrative Continuity, ensuring that a password change in the office is instantly reflected in the cloud.

GCDS & SYNC

Infrastructure Sovereign
Core Mission
Hybrid Directory Harmonization. Establishing a one-way, high-fidelity synchronization pipeline that maintains organizational alignment between legacy directories and the modern productivity cloud.
Like a Sophisticated Mirror: Imagine your on-premise Active Directory is a statue. GCDS is a "Sovereign Mirror" placed in the Google Cloud. Every time you paint the statue (Add a User) or move its arm (Change a Group), the mirror reflects that change instantly. The mirror doesn't touch the statue—it only watches and replicates. If the statue is removed, the mirror image disappears simultaneously.
AD-to-Google Migration / Hybrid Identity Ops / Large-Scale Group Management / Password Hash Sync

The GCDS Configuration Matrix

Section titled “The GCDS Configuration Matrix”

Architecting for directory sync requires balancing the complexity of your AD schema with the simplicity of the Google directory.

Strategic Sync Profiles

Section titled “Strategic Sync Profiles”
ProfileStrategic ResponsibilityIAM Implementation
User SyncProfile Consistency.Mapping sAMAccountName or mail to Google primaryEmail.
Group SyncCollaborative Access.Synchronizing AD security and distribution groups as Google Groups.
Password Sync (GSPS)Credential Handshake.A separate service (GSPS) that captures AD password changes and pushes hashes to Google.
Shared ContactsThe Global Address List.Pushing external vendors or partners from AD into the Google Global Address List (GAL).

The GCDS Synchronization Cycle

Section titled “The GCDS Synchronization Cycle”

A GCDS sync follows a “Compare-and-Commit” path to ensure directory integrity.

graph LR
    Read[Read AD State] --> Compare[Compare with Google]
    Compare --> Commit[Commit Changes]
1

LDAP Extraction & Filtering

The GCDS agent (running on-prem) queries your Active Directory via LDAP. It uses highly specific "Search Rules" (LDAP Filters) to identify exactly which users and groups should be synced. For example: `(&(objectClass=user)(memberOf=CN=GoogleUsers,OU=Groups,DC=sovereign,DC=corp))`.

2

The Sovereign Comparison Engine

GCDS fetches the current state of your Google Workspace directory via the Admin API. It performs a line-by-line comparison of attributes (Name, Dept, OU). Importantly, it creates a "Simulation" report first, allowing architects to preview exactly what will be added, changed, or deleted before a single byte is written.

3

Atomic Commit & Validation

Once the simulation is approved, GCDS executes the changes. It uses the API to synchronize the state. Users are created, OUs are updated, and "Stale" users (those no longer in the AD filter) are either suspended or deleted according to your "Deletion Policy"—ensuring the mirror is always perfect.

Technical GCDS Implementation

Section titled “Technical GCDS Implementation”

Configuring rules ensures that you don’t accidentally wipe your entire Google directory.

GCDS Deletion Policy (XML Snippet)

Section titled “GCDS Deletion Policy (XML Snippet)”
<!-- Hardening your Sync to prevent accidental massive deletions -->
<deletion_policy>
  <user_limit>5</user_limit> <!-- Stop sync if more than 5 users would be deleted -->
  <group_limit>2</group_limit>
  <contact_limit>10</contact_limit>
  <action>SUSPEND</action> <!-- Suspend instead of Delete for extra safety -->
</deletion_policy>

Directory Sync Implementation Guides

Section titled “Directory Sync Implementation Guides”

Master the technical ceremonies of hybrid directory synchronization and AD integration.

User Lifecycle

Using the results of your GCDS sync to drive automated onboarding and offboarding.

OU Mapping

Designing your GCDS rules to map AD Organizational Units to Google Workspaces OUs.

Multi-Cloud Identity

Compare GCDS with Azure AD Connect for organizations managing both Google and Azure.

Security Hardening

Securing the on-prem GCDS server and managing the encrypted config files.

Next Steps

Section titled “Next Steps”