Configure Active Directory Integration (ADI)

黑料海角91入口鈥檚 Active Directory Integration (ADI) is 黑料海角91入口鈥檚 user identity and access management directory integration that enables the syncing of users, groups, and passwords between 黑料海角91入口 and on or off-premise AD. ADI can be used to extend AD to the Cloud, minimize the number of resources managed by AD, and migrate away from AD.

As covered in Get Started: Active Directory Integration, ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations, referred to as deployment configurations. These deployment configurations are determined by where you want to manage users, groups, and passwords and are flexible enough to support your specific use case, goals, and AD environment.

Manage users, groups, and passwords in AD.
Manage users and passwords in AD, 黑料海角91入口, or both.
Manage users, groups, and passwords in 黑料海角91入口.

This article provides an overview of the benefits, example use cases, workflows, and implementation steps and a link to the step-by-step configuration article or each deployment configuration. It also outlines the prerequisites and considerations across all deployment configurations.

ADI Prerequisites

Before getting started with ADI, 黑料海角91入口 recommends going through this list and ensuring all items have been completed before continuing.

You will need:

AD Domain Admin credentials
Access to all Domain Controllers (DCs) or member servers in your AD domain
Network access to the internet from DCs or member servers and ability to communicate outbound (only) to console.jumpcloud.com over HTTPS port 443
- The 黑料海角91入口 AD Import and Sync Agent services use SSL/TLS for all communication. If no network connectivity exists to 黑料海角91入口, ADI will fail to connect and won't work properly
黑料海角91入口 Organization for your company

Important:

We STRONGLY recommend installing and using LDAPS for ADI.
- Configuring and using LDAPS on the Domain Controller to which the 黑料海角91入口 ADI agents will connect secures any sensitive information that is exchanged between the 黑料海角91入口 agents and the Domain Controller and protects against malicious users
Create a separate account for this integration
- API tokens are specific to each Admin account. An integration admin account prevents the possibility of breaking the ADI connectivity to your 黑料海角91入口 organization when an Admin account is deleted

System Requirements

64-bit Windows Server (versions 2012, 2016, 2019, 2022)
- Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022. You will need to include the /msiexec parameter when running the agent installer
15MB disk space
10MB RAM

General Considerations

These considerations apply to all or most of the use case scenarios and configurations.

The user attributes that sync are:
- First Name
- Last Name
- Username
- Email
Non-standard ASCII characters are not supported in the Root User DN
When updating an existing agent installation, only minimal installation screens are shown
Demoting a DC installation to a member server or promoting a member server installation to a DC installation aren鈥檛 supported. The agent(s) must be uninstalled first and then installed on the other type of server
The passwords for the service accounts used by the integration (e.g., jcimport and jcsync)should be rotated periodically for security reasons
As of ADI sync agent version 4.x and import agent 2.x, the following changes were made:
- The default location for all agent related installation, configuration, and log files is C:\Program Files\黑料海角91入口\AD Integration\
- All references to AD Bridge changed to AD Import
- The ADI sync agent can be installed independently of the ADI import agent
- The jcimport username & password and the API key are stored in the registry instead of the ADI Import Agent configuration file. Both the password and API key are encrypted and the values in the registry are replaced with the encrypted value when the import agent starts
- The ADI sync agent connect key is encrypted and the value in the registry is replaced with the encrypted value when the agent starts
The 黑料海角91入口 ADI import and sync agent services use TLS for all communication. If no network connectivity exists to 黑料海角91入口, ADI won鈥檛 work properly

ADI Configurations

The table below provides an overview of the three (3) deployment configurations and main use cases. The sections that follow describe the capabilities, example use cases, benefits, workflow, and considerations for each configuration, as well as a link to the step-by-step guide.

ADI Configuration	Use case	Server type(s) on which agent(s) can be installed
Manage users, groups and passwords in AD	Extend AD	Domain Controllers
Manage users and passwords in either system, or both	Extend AD	Domain Controllers, Member Servers
	Minimize AD footprint	Domain Controllers
	Migrate away from AD	Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in 黑料海角91入口	Minimize AD footprint	Domain Controllers, Member Servers
	Migrate away from AD	Domain Controllers, Member Servers

Manage users, groups, and passwords in AD

This deployment configuration supports organizations looking to extend AD to the cloud for additional functionality with minimal changes to their existing AD environment. Use Cases Provide access to Cloud resources while keeping AD as the primary Identity Provider (the source of truth) for user data, passwords, and security groups Access to SaaS applications using industry standard protocols SAML 2.0 and OIDC for SSO, and SCIM for provisioning, syncing and deprovisioning. Access to Cloud RADIUS for Wifi and VPN LDAP based user auth with MFA for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters. User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ Entra ID and Google Workspace in real-time Compliance - keep the password behind the AD firewall and still extend AD to cloud Cross-platform device management - Support Windows, Linux, Mac, iOS, and Android devices Benefits Future Flexibility & Agility Once a user identity is in the Cloud, it can be extended more easily. Option to take advantage of all capabilities available in 黑料海角91入口’s Open Directory Platform with minimal effort, no need to find another point solution. Automated Offboarding Deactivating a user in AD will automatically suspend that user in 黑料海角91入口 within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the 黑料海角91入口 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc. User Device Choice Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.	Workflow Details Data syncs one-way from AD to 黑料海角91入口 Passwords managed solely in AD Users created, updated, and deactivated solely in AD Security groups created and managed solely in AD Group membership managed solely in AD
	Configuration Read Configure ADI: Manage users, groups, and passwords in AD for step-by-step instructions Use ADI import agent only Install import agent on two or more member serviers or all domain controllers (DCs) Add users and security groups under the ADI security group in AD
	Important Considerations: Import agents can be installed on member servers or DCs. Delegated log in authentication to AD will be used when import agents are installed on member servers. Syncing the password from AD to 黑料海角91入口 requires the import agent to be installed on all DCs. Scheduled downtime is also required. Each server must be rebooted to complete the import agent installation. Changing passwords in 黑料海角91入口 is not possible with this deployment configuration. API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your 黑料海角91入口 organization when an Admin account is deleted. Password complexity requirements in AD and 黑料海角91入口 should be the same or closely aligned to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements. Importing, such as Domain Admins, into 黑料海角91入口 from AD isn’t supported. We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users. Connect Keys are one-time use keys required for installing the import agent on a new AD server. Warning: Connect keys are only valid for 7 days if not used.

AD Import only – single domain workflow

AD Import only – multiple domain workflow

Manage users and passwords in AD, 黑料海角91入口, or both

This deployment configuration supports organizations looking to minimize the number of resources managed by AD and organizations that want to eventually migrate away from AD. This configuration provides the greatest flexibility. Users, passwords, and groups can be managed in AD, 黑料海角91入口, or both. Use cases Allow users to change passwords in 黑料海角91入口, from a 黑料海角91入口 managed device, and from AD. Enable 黑料海角91入口 and AD to share responsibility over the user identities. Add support for a mixed OS fleet and non-AD bound devices Extend user access to the Cloud for one or more of the following: Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. Access to Cloud RADIUS for Wifi and VPN LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters. User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ EntraID / AzureAD and Google Workspace in real-time Maintain an AD footprint but only for mission critical Windows servers, such as: Business critical applications that must stay on-prem. File and printer servers that cannot go away. Domain Controllers, but likely fewer DC’s in fewer locations. Manage profiles in one system and passwords in the other Manage passwords in 黑料海角91入口 to control credentials for Cloud resources and manage user profiles in AD to propagate the same information across all Microsoft solutions Manage passwords in AD for compliance purposes and manage profiles in 黑料海角91入口 to propagate to SaaS apps and other Cloud resources Import users from Cloud solutions that are not compatible with AD, such as an HRIS system Import users into 黑料海角91入口 and then sync those users from 黑料海角91入口 into AD. Migrate away from AD completely Benefits Future Flexibility & Agility Once a user identity is in the Cloud, it can be extended more easily. Option to take advantage of all capabilities available in 黑料海角91入口’s Open Directory Platform with minimal effort, no need to find another point solution. Automated Offboarding Deactivating a user in AD will automatically suspended that user in 黑料海角91入口 within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the 黑料海角91入口 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc. Easy deployment of non-Windows devices to users. Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device. Simplified end-user computer management Remove the need for AD Domain Controller connectivity for all end-user computers Users managed in the Cloud You can create, suspend, manage users, passwords, and security group membership for 黑料海角91入口. This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface.	Workflow Details Data syncs bidirectionally between 黑料海角91入口 and AD Passwords managed in either system or both Users created, updated, and deactivated in either system or both User (security) groups created and managed in either system or both Group membership managed in either system or both
	Configuration Read Configure ADI: Manage users, groups and passwords in AD, 黑料海角91入口, or both for step-by-step instructions Use both the ADI import agent and ADI sync agent. Install agents on either domain controllers (DCs) or member servers. Important: To sync passwords from AD to 黑料海角91入口 the import agent must be installed on all DCs. Add users and security groups under the ADI security group in AD to sync from AD to 黑料海角91入口 Assign users and user groups to the AD instance in 黑料海角91入口 to sync from 黑料海角91入口 to AD.
	Important Considerations: API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your 黑料海角91入口 organization when an Admin account is deleted. If passwords need to be synced from AD to 黑料海角91入口, an import agent must be installed on all Domain Controllers and downtime will need to be scheduled, because the installation requires a server reboot. If passwords are being managed in 黑料海角91入口 or authentication is being delegated to AD, the import agent can be installed on a member server(s). Password complexity requirements in AD and 黑料海角91入口 should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements. Importing, such as Domain Admins, into 黑料海角91入口 from AD or managing them in AD from 黑料海角91入口 isn’t supported. The AD sync agent does not need to be installed on all servers. Connect Keys are one-time use keys required for installing an agent on a new AD server. Warning: Connect keys are only valid for 7 days. We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

Two-way Sync 鈥� Single Domain Workflow

Two-way Sync 鈥� Multiple Domain Workflow

Manage user, groups, passwords in 黑料海角91入口

This configuration supports organizations looking to migrate away from AD completely and organizations that have already significantly reduced the resources being manged by AD. Use Cases Use 黑料海角91入口 as the Primary Identity Provider (the source of truth) for user identities and groups and provide access to Cloud resources. You only want users to change passwords from the 黑料海角91入口 User Portal or 黑料海角91入口 managed devices Extend user access to the Cloud for one or more of the following: Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. Access to Cloud RADIUS for Wifi and VPN LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters. User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ EntraID / AzureAD and Google Workspace in real-time Add support for non-Windows devices: Linux, Mac, iOS, and Android Maintain an AD footprint but only for mission critical Windows servers, such as: Business critical applications that must stay on-prem. File and printer servers that cannot go away. Domain Controllers, but likely fewer DC’s in fewer locations. Import users from Cloud solutions that are not compatible with AD, such as an HRIS system Import users into 黑料海角91入口 and then sync those users from 黑料海角91入口 into AD. You want to reduce the role of AD in your environment OR you are in the final phase of your migration away from AD. Benefits Future Flexibility & Agility Once a user identity is in the Cloud, it can be extended more easily. Option to take advantage of all capabilities available in 黑料海角91入口’s Open Directory Platform with minimal effort, no need to find another point solution. Automated Offboarding Deactivating a user in 黑料海角91入口 will automatically suspend that user in AD within 5 seconds,resulting in a forced logoff on the user’s computer, the removal of access to the 黑料海角91入口 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc., and removal of access to AD managed resources. Easy deployment of non-Windows devices to users. Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device. Simplified end-user computer management Remove the need for AD Domain Controller connectivity for all end-user computers Users managed in the Cloud Create, suspend, manage users, passwords, and security group membership in 黑料海角91入口. This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface. Migration path	Workflow Details Data syncs one-way from 黑料海角91入口 to AD Passwords managed solely in 黑料海角91入口 Users created, updated, and deactivated solely in 黑料海角91入口 User (security) groups created and managed solely in 黑料海角91入口 Group membership managed solely in 黑料海角91入口
	Configuration Read Configure ADI:Manage users, groups, and passwords in 黑料海角91入口 for step-by-step instructions. Use ADI sync agent only Install agents on either domain controllers (DCs) or member servers. Assign users and user groups to the ADI instance in 黑料海角91入口
	Important Considerations: The AD sync agent does not need to be installed on all servers. Password complexity requirements in AD and 黑料海角91入口 should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements. Managing , such as Domain Admins, in AD from 黑料海角91入口 isn’t supported. Connect Keys are one-time use keys required for installing the sync agent on a new AD server. Warning: Connect keys are only valid for 7 days. Groups sync automatically from 黑料海角91入口 to AD when one or more sync agents are installed. This sync cannot be disabled. We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

黑料海角91入口 Sync Only 鈥� Single Domain Workflow

黑料海角91入口 Sync Only 鈥� Multiple Domain Workflow

Migrate Windows Devices from AD-member to 黑料海角91入口-managed

If your company is looking to migrate off of your AD domain to 黑料海角91入口 or move device management to 黑料海角91入口, we recommend leveraging our (ADMU) to migrate Windows devices from AD-bound to 黑料海角91入口-managed.

Important Considerations

Utilizing the ADMU does not require the ADI:
- If you鈥檙e looking to migrate user identities off of AD and into 黑料海角91入口, and your company is going to migrate off of AD in phases, we recommend to implementing both 黑料海角91入口鈥檚 ADI and ADMU
You can run ADMU locally on the device or remotely using 黑料海角91入口 Commands

Configuration

See for step-by-step instructions.

Use Cases

You want to convert AD-member Windows devices to 黑料海角91入口-managed
You are ultimately looking to migrate entirely off of AD
You want 黑料海角91入口 to become the Primary IdP for all user identities

Workflow Details

User Identities can be imported in any of the following methods: Microsoft365, Google Workspace, 黑料海角91入口 ADI, CSV Import, or Manually created.
ADMU tool is run on the AD-member Windows Device, which will convert it from an AD-member device to a local WORKGROUP device, as well as convert an AD User Account to a Local User Account.
The ADMU tool can automatically bind a 黑料海角91入口 user to the converted user mentioned in the previous step.

Benefits

Automation of device migration

Ready to Configure?

Check out the step-by-step configuration guide that aligns with chosen deployment configuration:

Want additional assistance from 黑料海角91入口?

黑料海角91入口 now offers myriad professional services offerings to assist customers with implementing and configuring 黑料海角91入口. If you鈥檙e looking for assistance with Migrating from AD, or to integrate AD with 黑料海角91入口, we recommend you reach out to 黑料海角91入口鈥檚 Professional Services team on the following page: Professional Services - 黑料海角91入口.

Need to troubleshoot?

If you鈥檙e having issues with getting 黑料海角91入口鈥檚 ADI working, try Troubleshoot: ADI.

Want more information?

[web page] Modernize Active Directory
[eBook] Breaking Up with Active Directory
[eBook] Modernize Active Directory: Break Free from the Limitations of AD
[eBook] How to Modernize Your AD Instance: The IT Professional鈥檚 Roadmap to Augmenting or Replacing AD
[blog] Modernizing AD is Possible
[webinar] How To Modernize AD: An Admin鈥檚 Journey to IT Flexibility

Step 1 Step 3

Step 2 in Integrate with Active Directory

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case

黑料海角91入口