The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise AD. As covered in Get Started: Active Directory Integration, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations which are based on where you want to manage users, groups, and passwords:
- Manage users, groups, and passwords in AD
- Manage users, groups, and passwords in JumpCloud
- Manage users and passwords in AD, JumpCloud, or both
After setting up your initial ADI configuration, you may decide to change it. This article provides a high level overview on how to do so.
Prerequisites
- Existing AD Integration
- Access to all AD servers
- If you are changing to the Manage users and passwords in AD, JumpCloud, or both deployment configuration, verify your current agents are the latest version
Considerations
- Connect Keys are one-time use keys required for installing the agents on a new AD server:
- The Connect Key will expire in 7 days if it is not used
- Connect Keys are not required when upgrading agents
- A connect key should only be used once – do not use the same connect key on multiple servers
- When upgrading an agent, the installation wizard prompts for minimal information:
- Import agent connect key, when upgrading from import agent v2.6.0 or lower
- Installation folder path
- Finish screen
- The agents should be installed on at least 2 member servers for high availability
- Agent versions should be the same on all AD servers
ADI Configurations
ADI Configuration | Use case | User and Group Authority | Password authority | Data sync direction | Server type(s) on which agent(s) can be installed | Install Import Agent | Install Sync Agent |
---|---|---|---|---|---|---|---|
Manage users, groups and passwords in AD | Extend AD | Domain Controllers | |||||
Manage users and passwords in either system, or both | Extend AD | Domain Controllers, Member Servers | |||||
Minimize AD footprint | Domain Controllers | ||||||
Migrate away from AD | Domain Controllers, Member Servers (Sync agent only) | ||||||
Manage users, groups, and passwords in JumpCloud | Minimize AD footprint | Domain Controllers, Member Servers | |||||
Migrate away from AD | Domain Controllers, Member Servers |
Change ADI Configuration
- Go to DIRECTORY INTEGRATIONS > Active Directory.
- Search for and select your existing ADI instance.
- In the right upper corner, select Update Configuration.
- Select the radio button next to your desired new configuration and then click Next.
- Review the settings for both the Previous and Updated Configuration.
Each ADI configuration has default settings. Some settings are read-only and others are editable. See ADI configuration settings for more information.
- Click Save.
- Depending on the previous and updated configuration, you will receive a note stating that agents will need to be uninstalled
- Go to the Action needed: section – download and install any agents for the updated configuration
- Click Continue.
- Your new ADI Configuration Details will appear. In the Integration Details section, verify or change any ADI configuration settings.
- Click Save.
See the below sections for changes required on your user records and the high level overviews of changes required on your AD servers when changing your ADI deployment configuration.
ADI configuration settings
- Delegated Password Validation – default setting for enabling and disabling delegated authentication to AD for users imported from AD to JumpCloud. Applicable in the following ADI configurations:
- Manage users and passwords in either system or both. Editable setting. Disabled by default
- Manage users and passwords in Active Directory. Read-only setting. Enabled by default
- Externally Managed Password and Attributes – default setting for restricting and unrestricting changes to ADI synced user attributes and user password within the JumpCloud Admin Portal and the JumpCloud User Portal. This is a read-only setting. Applicable in all ADI configurations:
- Manage users and passwords in JumpCloud. Disabled by default
- Manage users and passwords in either system or both. Disabled by default
- Manage users and passwords in Active Directory. Enabled by default
- Enable groups and memberships management – default setting controlling whether a group and group memberships are synced from JumpCloud to AD when a sync agent is installed on an AD server. This is a read-only setting that is enabled by default. Applicable in the following ADI configurations:
- Manage users and passwords in either system or both
- Manage users and passwords in JumpCloud
- Provision Staged Users – default setting controlling whether a staged user is synced from JumpCloud to AD when a sync agent is installed on an AD server. This is a read-only setting that is disabled by default. Applicable in the following ADI configurations:
- Manage users and passwords in either system or both
- Manage users and passwords in JumpCloud
Change to Manage users and passwords in AD, JumpCloud, or both
See Configure ADI: Manage users, groups and passwords in AD, JumpCloud, or both.
From managing users, groups, and passwords in AD
Changes required on existing user records
- Go to USER MANAGEMENT > Users.
- Select Filter by > Password Externally Managed in the Search bar.
- Select all users.
- Select More Actions > Set External Password Authority.
- Leave the default None (JumpCloud) selected.
- Click Save.
- Follow the instructions in Convert AD-Managed User Accounts.
Changes required in AD
- Create the AD Sync Service Account.
- Delegate control for AD Sync Service Accounts.
- Download AD Sync agent.
- Run the AD Sync Agent installation wizard.
- Reboot each AD server where the import agent was installed.
- Verify AD sync and AD import agents in the JumpCloud Admin Portal.
From managing users, groups, and passwords in JumpCloud
Changes required on existing user records
- Go to USER MANAGEMENT > Users.
- Select Filter by > Password Externally Managed in the Search bar.
- Select all users.
- Select More Actions > Set External Password Authority.
- Leave the default None (JumpCloud) selected.
- Click Save.
- Follow the instructions in Convert AD-Managed User Accounts.
Changes required in AD
- Create the AD Import Service Account.
- Delegate control for the AD Import Service Accounts.
- Download AD Import agent.
- Run the the AD Import Agent installation wizard.
- Reboot each AD server where the import agent was installed.
- Verify the Import Agent Service started.
- Complete post-installation AD import agent configuration on each DC.
- Verify AD sync and AD import agents in the JumpCloud Admin Portal.
Change to Manage users and passwords in AD
See Configure ADI: Manage users, security groups, and passwords in AD.
From managing users, groups, and passwords in AD, JumpCloud or both
Changes required on existing user records
- Go to USER MANAGEMENT > Users.
- Select Filter by > Password Externally Managed in the Search bar.
- Select all users.
- Select More Actions > Set External Password Authority.
- Select Active Directory.
- Click Save.
Changes required in AD
- Uninstall AD Sync agent.
- Reboot each AD server where the Sync agent was installed.
- Change AD Sync service account to inactive.
- Verify the Import Agent Service started on each AD server.
From managing users, groups, and passwords in JumpCloud
Changes required on existing user records
- Go to USER MANAGEMENT > Users.
- Select Filter by > Password Externally Managed in the Search bar.
- Select all users.
- Select More Actions > Set External Password Authority.
- Select Active Directory.
- Click Save.
Changes required in AD
- Uninstall AD Sync agent.
- Reboot each AD server where the Sync agent was installed.
- Change AD Sync service account to inactive. (can you rename this account)
- Create the AD Import Service Account.
- Delegate control for the AD Import Service Accounts.
- Download AD Import agent.
- Run the the AD Import Agent installation wizard.
- Reboot each AD server where the import agent was installed.
- Verify the Import Agent Service started.
- Complete post-installation AD import agent configuration on each DC.
Change to Manage users and passwords in JumpCloud
See Configure ADI: Manage users, security groups, and passwords in JumpCloud.
From managing users, groups, and passwords in AD, JumpCloud or both
Changes required on existing user records
- Go to USER MANAGEMENT > Users.
- Select Filter by > Password Externally Managed in the Search bar.
- Select all users.
- Select More Actions > Set External Password Authority.
- Select Active Directory.
- Click Save.
- If you enabled the Delegated Password Validation option on the ADI configuration and want your existing users with access to AD to have their logins validate by AD, do the following:
- Select the users you want to update
- Select More Actions > Set Delegated Password Authority.
- Select Active Directory.
- Click Save.
Changes required in AD
- Uninstall AD Import agent.
- Reboot each AD server where the Import agent was installed.
- Change AD Import service account to inactive.
- Verify the Import Agent Service started on each AD server.
From managing users, groups, and passwords in AD
Changes required on existing user records
- Go to USER MANAGEMENT > Users.
- Select Filter by > Password Externally Managed in the Search bar.
- Select all users.
- Select More Actions > Set External Password Authority.
- Select Active Directory.
- Click Save.
- Select the existing users with access to AD.
- Select More Actions > Set Delegated Password Authority.
- Select Active Directory.
- Click Save.
Changes required in AD
- Uninstall AD Import agent.
- Reboot each AD server where the Import agent was installed.
- Change AD Import service account to inactive. (can you rename this account?)
- Create the AD Sync Service Account.
- Delegate control for the AD Sync Service Accounts.
- Download AD Sync agent.
- Run the the AD Sync Agent installation wizard.
- Reboot each AD server where the import agent was installed.
- Verify the Sync Agent Service started.
- Complete post-installation AD Sync agent configuration on each DC.
Next Steps
Want additional assistance from JumpCloud?
JumpCloud now offers a myriad of professional services to assist you with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD or integrating AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.