The 黑料海角91入口 Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between 黑料海角91入口 and on-premise or off-premise AD. As covered in Get Started with the Active Directory Integration, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations which are based on where you want to manage users, groups, and passwords.
- Manage users, groups, and passwords in AD.
- Manage users, groups, and passwords in 黑料海角91入口.
- Manage users and passwords in either system, or both.
This article provides a step-by-step guide for configuring ADI to manage users, security groups, and passwords in 黑料海角91入口. This configuration supports organizations looking to minimize their AD footprint or migrate away from AD completely.
Important Considerations
- Password complexity requirements in AD and 黑料海角91入口 should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements
- Managing , such as Domain Admins, in AD from 黑料海角91入口 isn鈥檛 supported
- Connect Keys are one-time use keys required for installing the sync agent on a new AD server
The Connect Key will expire in 7 days if it is not used.
- Groups sync automatically from 黑料海角91入口 to AD when one or more sync agents are installed. This sync cannot be disabled
- We strongly recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users
- When multiple AD sync agents are installed, one is designated as the primary agent by the ADI service. All create and change requests are sent to that agent. If that agent becomes unavailable, another active sync agent is automatically designated as the primary
Configuration
- Use ADI sync agent only
- Install agents on either domain controllers (DCs) or member servers
- Assign users and user groups to the AD instance in 黑料海角91入口
Use Cases
- Use 黑料海角91入口 as the Primary Identity Provider (the source of truth) for user identities and groups and provide access to Cloud resources
- You want users to only change passwords from the 黑料海角91入口 Use Portal or 黑料海角91入口 managed devices
- Extend user access to the Cloud for one or more of the following:
- Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning
- Access to Cloud RADIUS for Wifi and VPN
- LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters
- User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ Entra ID and Google Workspace in real-time
- Add support for a mixed OS fleet
- Maintain an AD footprint but only for mission critical Windows servers, such as:
- Business critical applications that must stay on-prem
- File and printer servers that cannot go away
- Domain Controllers, but likely fewer DC鈥檚 in fewer locations
- Import users from Cloud solutions that are not compatible with AD, such as an HRIS system:
- Import users into 黑料海角91入口 and then sync those users from 黑料海角91入口 into AD
- You want to reduce the role of AD in your environment OR you are in the final phase of your migration away from AD
Workflow Details
Data syncs one-way from 黑料海角91入口 to AD | |
Passwords managed solely in 黑料海角91入口 | |
Users created, updated, and deactivated solely in 黑料海角91入口 | |
User (security) groups created and managed solely in 黑料海角91入口 | |
Group membership managed solely in 黑料海角91入口 |
Benefits
- Future Flexibility & Agility
- Once a user identity is in the Cloud, it can be extended more easily
- Option to take advantage of all capabilities available in 黑料海角91入口鈥檚 Open Directory Platform with minimal effort, no need to find another point solution
- Automated Offboarding
- Deactivating a user in 黑料海角91入口 will automatically suspend the user in Active Directory within 5 seconds, resulting in a forced logoff on the user鈥檚 computer and the removal of access to the 黑料海角91入口 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc.
- Easy deployment of non-Windows devices to users.
- Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device
- Simplified end-user computer management
- Remove the need for AD Domain Controller connectivity for all end-user computers
- Users managed in the Cloud
- You can create, suspend, manage users, passwords, and security group membership for 黑料海角91入口. This saves you time by spent RDP鈥檇 into the DC鈥檚 and in the Active Directory Users and Computers (ADUC) interface
- Migration path
Workflow for Managing Users, Groups, and Passwords in 黑料海角91入口
黑料海角91入口 Sync Only 鈥 Single Domain Workflow
黑料海角91入口 Sync Only 鈥 Multiple Domain Workflow
When the 黑料海角91入口 ADI is configured for AD Sync only, the following is the general user identity workflow and expected behavior for any user, group, and password changes after AD sync agent have been configured.
- User identities can be created and managed within 黑料海角91入口 only.
- Users must be connected directly to the ADI in 黑料海角91入口 or members of one or more user groups connected to the integration.
- Passwords must be changed within 黑料海角91入口. After a password change, the new password is pushed to AD via the sync agent within 90 seconds.
- User Attribute changes must be done within 黑料海角91入口. After any supported user attribute changes (First Name, Last Name, Username, E-mail, Password, User State 鈥 Enabled or Disabled), the 黑料海角91入口 sync agent will export these updates to AD within 90 seconds.
- Disabling User Accounts in AD can be done in one of two ways:
- Suspending users that are connected to the AD integration in 黑料海角91入口. The 黑料海角91入口 Sync Agent will within 90 seconds disable the user in AD.
- Removing the user from the ADI and from any groups that connect the user to the AD in the 黑料海角91入口 Admin Portal.
- Removing user accounts in AD must be done manually in AD.
System Requirements
- 64-bit Windows Server (versions 2012, 2016, 2019, 2022)
- Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022. You will need to include the /msiexec parameter when running the agent installer
- 15MB disk space
- 10MB RAM
Considerations
- The user attributes that sync are:
- First Name
- Last Name
- Username
- Non-standard ASCII characters are not supported in the Root User DN
- When updating an existing agent installation, only minimal installation screens are shown:
- Upgrade Installation notes
- Only minimal screens shown
- Directory for where the installation should occur
- Finish screen
- Demoting a DC installation to a member server and promoting a member server installation to a DC aren鈥檛 supported. The agent(s) must be uninstalled first and then installed on the other type of server
- The passwords for the server accounts used by the integration (e.g., jcimport and jcsync)should be rotated periodically for security reasons
- As of ADI sync agent version 4.x, the following changes were made:
- The default location for all agent related installation, configuration, and log files is C:\Program Files\黑料海角91入口\AD Integration\
- The ADI sync agent can be installed independently of the ADI import agent
- The ADI sync agent connect key is encrypted and the value in the registry is replaced with the encrypted value when the agent starts
- The 黑料海角91入口 AD sync agent services use TLS for all communication. If no network connectivity exists to 黑料海角91入口, the ADI won鈥檛 work properly
- The AD Domain and Root User container DN needs to match the Domain and Root User container configured for AD Sync
- To validate the AD Import agent Root User container DN before you install the AD Sync Agent, see Installing the AD Import Agent: How to modify the Root User container used by AD Import
- Each time you download an AD Sync agent, you receive a new Connect Key for that installation. Connect Keys are one-time use keys
- Managing privileged user accounts, such as Domain Admins in AD, isn鈥檛 supported. AD flags privileged accounts with 鈥渁dminCount=1鈥 in the directory, which results in any inherited permissions granted to the 黑料海角91入口 AD agent services to be removed. This prevents 黑料海角91入口 from being able to effectively manage those privileged accounts
Installation Steps Overview
The main steps you will take to install and configure AD for this use case are:
- Complete the Prerequisite Checklist.
- Determine the Root User container in AD.
- Create the AD Sync Service Account.
- Delegate control for the AD Sync Service Account.
- Create an AD domain instance in 黑料海角91入口.
- Select your configuration and download the agent.
- [Optional] Perform a one-time import of users from AD to 黑料海角91入口.
- Run the AD Sync Agent Installation Wizard on AD servers.
- Verify AD sync.
Prerequisite Checklist
Before installing the ADI sync agent, we recommend completing each item in the following checklist before continuing:
- Know your AD Domain Admin credentials.
- Decide whether you want to install the sync agents on your AD domain鈥檚 non-DC Domain Member Servers or Domain Controllers (DCs).
- If installing on DCs, we recommend that you install the AD Sync agent on your Primary DC and any DC impacted by extended replication delays
- Verify you have access to all DCs or non-DC Domain Member Servers in the AD domain.
- Ensure your DCs or non-DC Domain Member Servers are running on a 黑料海角91入口 supported 64-bit Windows Server version (2012, 2016, 2019, 2022).
- Verify DCs or non-DC Domain Member Servers have networking access to the internet and are able to communicate outbound to console.jumpcoud.com over HTTPS port 443.
- Create a dedicated Administrator account in 黑料海角91入口 that is specifically for the ADI.
API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your 黑料海角91入口 organization when an Admin account is deleted.
- Verify all users to be synced from 黑料海角91入口 to AD have a value for first name and last name in 黑料海角91入口.
- Align password complexity requirements between AD and 黑料海角91入口 as closely as possible. Otherwise, passwords may not replicate if they鈥檙e rejected by the destination directory鈥檚 complexity requirements.
- [Strongly recommended] Install LDAPS.
Prepare for Installing the Agent
To export and update user attributes, passwords and security groups from 黑料海角91入口 to AD, you鈥檒l need to install a 黑料海角91入口 AD sync agent on your AD domain鈥檚 non-DC Domain Member Servers (member servers) or Domain Controllers (DCs). Complete the steps below to prepare for installing the agents on your server(s).
Determine the Root User Container in AD
You must specify the Root User Container during the 黑料海角91入口 AD sync agent installation. AD鈥檚 default 鈥楿sers鈥 container (CN=Users) is pre-populated in the AD Users and Computers (ADUC) interface and labeled as 鈥淯sers鈥 as shown in the following image.
If you want to use AD鈥檚 default Root User container, the value you will need to enter during the AD sync agent installation is:
- CN=Users;DC=example;DC=com
If AD鈥檚 default Root User container (CN=Users) isn鈥檛 the Root User Container you want to use for your AD integration, follow the steps below to get the distinguishedName value you will need to enter during the AD sync agent installation.
- Verify the full LDAP path for the chosen Root user container you have selected in ADUC:
- From the ADUC panel鈥檚 View menu, enable Advanced Features.
- Right-click the container and select Properties.
- Select the Attribute Editor tab.
- Select the 鈥渄istinguishedName鈥 attribute, then click View.
- Note the value. It will need to be entered during the AD sync agent installation.
Create the AD Sync Service Account in AD
After you identify the Root User Container (鈥楻oot user DN鈥) that you want to use with your 黑料海角91入口 AD integration, create a new AD-based service account (standard user account) that allows the 黑料海角91入口 AD sync agent to manage users and groups.
- Open the ADUC Menu.
- Click start button and type 鈥渄sa鈥 and click the Active Directory Users and Computers icon.
- Right click on the container and click New > User.
This user cannot:
- Be a Domain Administrator.
- Have the username of 鈥満诹虾=91入口鈥.
- Be a member of the 黑料海角91入口 security group.
- Enter the following values for the 黑料海角91入口 Import Service Account user:
- First Name - JumpCloud
- Last Name - Sync
- User logon name - jcsync
Use jcsync to distinguish what this user is for and to which agent it is attached.
The user logon name cannot be 鈥満诹虾=91入口鈥.
- Click Next
- Enter a password for the jcsync user and ensure that it is set to Never Expire since this will be a service account for the Sync Agent.
This password should still be rotated periodically for security reasons.
- Click Save.
Delegate control for the AD Sync Service Account in AD
- Navigate to the Root User Container in ADUC that you have selected, right-click the container and select Delegate Control. This launches the Delegation of Control Wizard.
- Click Next.
- Add the newly created service account user to the Delegation of Control Wizard.
- Click Next, then select the following tasks:
- Create, delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Read all user information
- Create, delete, and manage groups
- Modify the membership of a group
- Click Next, and then Finish.
Install the AD Sync Agent
Create an ADI instance in 黑料海角91入口
Create a new ADI domain instance in 黑料海角91入口 if one does not already exist:
- Log in to the .
- Navigate to Directory Integrations > Active Directory.
- Click ( + Add ADI Domain ).
- Select Manage users and passwords in 黑料海角91入口.
- Enter the name of an Active Directory domain that you want to integrate with your 黑料海角91入口 tenant. For example, 鈥DC=example;DC=com鈥.
The 鈥淒C鈥 must be in capital letters. Each value must be separated with a semicolon (;) not a comma. There should be no spaces. The domain case must be the same as it is in the AD import configuration file.
- Click Save.
Download the Sync agent
- Click Download Sync Agent.
- The Sync Agent installer will automatically save to your local Downloads folder.
- The Install Sync Agent modal appears and you will be presented with the AD Sync Agent Installation Connect Key. This is the unique one-time use key that is required to connect the Sync Agent to your 黑料海角91入口 Org and this AD domain Integration within 黑料海角91入口. You will input this key during the AD Sync Agent install in the steps below. Click Copy and save it to a password manager for later use.
- Click Close.
- Click Configure ADI.
- A Details page will appear.
- Click Save.
Perform a one-time import of users from AD to 黑料海角91入口 (Optional)
If you need to import all your users or a subset of users from AD to 黑料海角91入口, there are two options:
- Import users using a CSV
- Install the AD import agent and sync users
Option 1: Import users using a CSV
- Export all users you want created in 黑料海角91入口 to a .csv file
- Follow the instructions in Import Users from CSV with the PowerShell Module.
Option 2: Install the AD import agent and sync users
- From the Details tab of the Active Directory Domain instance you create above, expand the Manage users and passwords in either system, or both section.
- Click the checkbox for This is my use case.
- Click Download Import Agent.
- Follow the instructions in Configure ADI to Manage Users, Security Groups, and Passwords in AD.
- Add all users you want imported into 黑料海角91入口 into the ADI security group you created.
- Verify that the users were created in 黑料海角91入口.
- Open Start > Control Panel > Programs > Programs and Features in AD.
- Uninstall the 黑料海角91入口 AD Import Agent.
- Click the Domain Agents tab in the Active Directory Domain instance in 黑料海角91入口.
- Verify that all rows are in yellow(i.e no longer active).
- Click the delete button for each import agent.
Run the AD Sync Agent Installation Wizard
Now you are ready to install the 黑料海角91入口 Sync Agent on one or more member servers or your Primary DC and any DC within the domain impacted by extended replication delays.
- Browse to where you saved the AD Integration Sync installer file on your DC.
- Right-click the file, then select Run as administrator.
- Once the Installer Wizard appears, click Next.
- On the Destination Folder screen, click Next.
- Select the type of server on which you are installing the agent, DC or non-DC member server, then click Next.
- If you chose Domain Controller, skip to step 10.
- If you chose Member Server as your server type, enter the information for the DC to which the member server should connect to sync data from 黑料海角91入口 to AD. We recommend using the FQDN for your DC.
- Confirm your LDAP connection type and decide if you want to allow the use of LDAP if the connection using secure LDAP fails.
We STRONGLY recommend against allowing the use of LDAP if the connection using secure LDAP fails. LDAP is not secure and increases your potential risk of cyberattacks as it sends unencrypted data. Attackers can spy on the connection and intercept packets sent over the network. We STRONGLY recommend the use of LDAPS only for this integration.
- If you checked Allow insecure connection (LDAP) to a Domain Controller, if secure connection fails, you must confirm that you understand the risk before you can proceed.
- Enter in the Root User Container you noted in the Determine the Root User Container in AD section above. If you鈥檙e using the default AD Root User Container, the value will be CN=Users;DC=company;DC=com. If you鈥檝e chosen another Root User Container, enter the value you noted.
- In this example, we鈥檝e modified the Root User Container. The value is: OU=Corporate Users;DC=example;DC=com.
Case is important when entering the User Root DN, always use capital 鈥淥U鈥, 鈥淐N鈥, and 鈥淒C鈥.
- Enter the AD Sync Agent鈥檚 Service Account you鈥檝e created. This should be the jcsync User Account you created in the Create the AD Sync Service Account section above. Then click Next.
Case is important when entering the Windows Login Domain, use the same case that was used when creating the AD domain instance in 黑料海角91入口.
- Enter the Connect Key that was presented to you within the 黑料海角91入口 Admin Portal after downloading the AD Sync Agent. Then click Next.
- Finally, click the Install button to install the AD Sync Agent. This could take up to 3 minutes.
We strongly recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.
You DO NOT need to reboot the servers after the AD Sync Agent installation.
Verify AD Sync
Once you鈥檝e installed and configured AD Sync within your AD environment. You can easily verify that the 黑料海角91入口 AD Sync Agent is working. Please ensure the following are present and visible:
- The 黑料海角91入口 AD Sync Agent should be shown as green and active within the Admin Portal under Directory Integrations > Active Directory > Domain Integration > Domain Agents tab.
If the AD Sync Agent(s) are showing red or are in a non-connected state, please check services.msc to see if the service is running.
Next Steps
Please read the Use and Manage the Active Directory Integration article next.
Want additional assistance from 黑料海角91入口?
If you鈥檙e having issues with getting 黑料海角91入口鈥檚 ADI working, try the Troubleshooting Guide.
黑料海角91入口 now offers myriad professional services offerings to assist customers with implementing and configuring 黑料海角91入口. If you鈥檙e looking for assistance with Migrating from AD, or to integrate AD with 黑料海角91入口, we recommend you reach out to 黑料海角91入口鈥檚 Professional Services team on the following page: Professional Services - 黑料海角91入口.