Configure Active Directory Integration (ADI)

探花大神鈥檚 Active Directory Integration (ADI) is 探花大神鈥檚 user identity and access management directory integration that enables the syncing of users, groups, and passwords between 探花大神 and on or off-premise AD. ADI can be used to extend AD to the Cloud, minimize the number of resources managed by AD, and migrate away from AD.

As covered in Get Started: Active Directory Integration, ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations, referred to as deployment configurations. These deployment configurations are determined by where you want to manage users, groups, and passwords and are flexible enough to support your specific use case, goals, and AD environment.

Manage users, groups, and passwords in AD
Manage users and passwords in AD, 探花大神, or both
Manage users, groups, and passwords in 探花大神

This article provides an overview of the benefits, example use cases, workflows, and implementation steps as well as a link to the step-by-step configuration article for each deployment configuration. It also outlines the prerequisites and considerations across all deployment configurations.

ADI Prerequisites

Before getting started with ADI, 探花大神 recommends going through this list and ensuring all items have been completed before continuing.

You will need:

AD Domain Admin credentials
Access to all Domain Controllers (DCs) or member servers in your AD domain
Network access to the internet from DCs or member servers and ability to communicate outbound (only) to console.jumpcloud.com over HTTPS port 443
- The 探花大神 AD Import and Sync Agent services use SSL/TLS for all communication. If no network connectivity exists to 探花大神, ADI will fail to connect and won't work properly
探花大神 Organization for your company

Important:

We STRONGLY recommend installing and using LDAPS for ADI.
- Configuring and using LDAPS on the Domain Controller to which the 探花大神 ADI agents will connect secures any sensitive information that is exchanged between the 探花大神 agents and the Domain Controller and protects against malicious users
Create a separate 探花大神 admin account for this integration
- API tokens are specific to each 探花大神 Admin account. An integration admin account prevents the possibility of breaking the ADI connectivity to your 探花大神 organization when an Admin account is deleted

System Requirements

64-bit Windows Server (versions 2012, 2016, 2019, 2022)
- Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022. You will need to include the /msiexec parameter when running the agent installer
15MB disk space
10MB RAM

General Considerations

These considerations apply to all or most of the use case scenarios and configurations.

When specifying a DN, you must use a semicolon (;), commas (,) are not supported.
The user attributes that sync by default are:
- First Name
- Last Name
- Username
- Email
The import agent can be configured to sync additional attributes.
Non-standard ASCII characters are not supported in the Root User DN
When updating an existing agent installation, only minimal installation screens are shown
Demoting a DC installation to a member server or promoting a member server installation to a DC installation aren鈥檛 supported. The agent(s) must be uninstalled first and then installed on the other type of server
The passwords for the service accounts used by the integration (e.g., jcimport and jcsync)should be rotated periodically for security reasons
As of ADI sync agent version 4.x and import agent 2.x, the following changes were made:
- The default location for all agent related installation, configuration, and log files is C:\Program Files\探花大神\AD Integration\
- All references to AD Bridge changed to AD Import
- The ADI sync agent can be installed independently of the ADI import agent
- The jcimport username & password and the API key are stored in the registry instead of the ADI Import Agent configuration file. Both the password and API key are encrypted and the values in the registry are replaced with the encrypted value when the import agent starts
- The ADI sync agent connect key is encrypted and the value in the registry is replaced with the encrypted value when the agent starts
The 探花大神 ADI import and sync agent services use TLS for all communication. If no network connectivity exists to 探花大神, ADI won鈥檛 work properly

ADI Configurations

The table below provides an overview of the three (3) deployment configurations and main use cases. The sections that follow describe the capabilities, example use cases, benefits, workflow, and considerations for each configuration, as well as a link to the step-by-step guide.

ADI Configuration	Use case	Server type(s) on which agent(s) can be installed
Manage users, groups and passwords in AD	Extend AD	Domain Controllers
Manage users and passwords in either system, or both	Extend AD	Domain Controllers, Member Servers
	Minimize AD footprint	Domain Controllers
	Migrate away from AD	Domain Controllers, Member Servers (Sync agent only)
Manage users, groups, and passwords in 探花大神	Minimize AD footprint	Domain Controllers, Member Servers
	Migrate away from AD	Domain Controllers, Member Servers

Manage users, groups, and passwords in AD

This deployment configuration supports organizations looking to extend AD to the cloud for additional functionality with minimal changes to their existing AD environment. Use Cases Provide access to Cloud resources while keeping AD as the primary Identity Provider (the source of truth) for user data, passwords, and security groups Access to SaaS applications using industry standard protocols SAML 2.0 and OIDC for SSO, and SCIM for provisioning, syncing and deprovisioning. Access to Cloud RADIUS for Wifi and VPN LDAP based user auth with MFA for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters. User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ Entra ID and Google Workspace in real-time Compliance - keep the password behind the AD firewall and still extend AD to cloud Cross-platform device management - Support Windows, Linux, Mac, iOS, and Android devices Benefits Future Flexibility & Agility Once a user identity is in the Cloud, it can be extended more easily. Option to take advantage of all capabilities available in 探花大神’s Open Directory Platform with minimal effort, no need to find another point solution. Automated Offboarding Deactivating a user in AD will automatically suspend that user in 探花大神 within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the 探花大神 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc. User Device Choice Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.	Workflow Details Data syncs one-way from AD to 探花大神 Passwords managed solely in AD Users created, updated, and deactivated solely in AD Security groups created and managed solely in AD Group membership managed solely in AD
	Configuration Read Configure ADI: Manage users, groups, and passwords in AD for step-by-step instructions Use ADI import agent only Install import agent on two or more member serviers or all domain controllers (DCs) Add users and security groups under the ADI security group in AD
	Important Considerations: Import agents can be installed on member servers or DCs. Delegated log in authentication to AD will be used when import agents are installed on member servers. Syncing the password from AD to 探花大神 requires the import agent to be installed on all DCs. Scheduled downtime is also required. Each server must be rebooted to complete the import agent installation. When multiple AD import agents are installed, one is designated as the primary agent by the ADI service for all actions (directives) performed by the import agent. API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your 探花大神 organization when an Admin account is deleted. Password complexity requirements in AD and 探花大神 should be the same or closely aligned to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements. Importing, such as Domain Admins, into 探花大神 from AD isn’t supported. We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users. Connect Keys are one-time use keys required for installing the import agent on a new AD server. Warning: Connect keys are only valid for 7 days if not used.

AD Import only – single domain workflow

AD Import only – multiple domain workflow

Manage users and passwords in AD, 探花大神, or both

This deployment configuration supports organizations looking to minimize the number of resources managed by AD and organizations that want to eventually migrate away from AD. This configuration provides the greatest flexibility. Users, passwords, and groups can be managed in AD, 探花大神, or both. Use cases Allow users to change passwords in 探花大神, from a 探花大神 managed device, and from AD. Enable 探花大神 and AD to share responsibility over the user identities. Add support for a mixed OS fleet and non-AD bound devices Extend user access to the Cloud for one or more of the following: Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. Access to Cloud RADIUS for Wifi and VPN LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters. User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ EntraID / AzureAD and Google Workspace in real-time Maintain an AD footprint but only for mission critical Windows servers, such as: Business critical applications that must stay on-prem. File and printer servers that cannot go away. Domain Controllers, but likely fewer DC’s in fewer locations. Manage profiles in one system and passwords in the other Manage passwords in 探花大神 to control credentials for Cloud resources and manage user profiles in AD to propagate the same information across all Microsoft solutions Manage passwords in AD for compliance purposes and manage profiles in 探花大神 to propagate to SaaS apps and other Cloud resources Import users from Cloud solutions that are not compatible with AD, such as an HRIS system Import users into 探花大神 and then sync those users from 探花大神 into AD. Migrate away from AD completely Benefits Future Flexibility & Agility Once a user identity is in the Cloud, it can be extended more easily. Option to take advantage of all capabilities available in 探花大神’s Open Directory Platform with minimal effort, no need to find another point solution. Automated Offboarding Deactivating a user in AD will automatically suspended that user in 探花大神 within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the 探花大神 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc. Easy deployment of non-Windows devices to users. Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device. Simplified end-user computer management Remove the need for AD Domain Controller connectivity for all end-user computers Users managed in the Cloud You can create, suspend, manage users, passwords, and security group membership for 探花大神. This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface.	Workflow Details Data syncs bidirectionally between 探花大神 and AD Passwords managed in either system or both Users created, updated, and deactivated in either system or both User (security) groups created and managed in either system or both Group membership managed in either system or both
	Configuration Read Configure ADI: Manage users, groups and passwords in AD, 探花大神, or both for step-by-step instructions Use both the ADI import agent and ADI sync agent. Install agents on either domain controllers (DCs) or member servers. Important: To sync passwords from AD to 探花大神 the import agent must be installed on all DCs. Add users and security groups under the ADI security group in AD to sync from AD to 探花大神 Assign users and user groups to the AD instance in 探花大神 to sync from 探花大神 to AD.
	Important Considerations: When multiple AD import and sync agents are installed, one of each is designated as the primary by the ADI service for all actions (directives) performed by each agent. API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your 探花大神 organization when an Admin account is deleted. If passwords need to be synced from AD to 探花大神, an import agent must be installed on all Domain Controllers and downtime will need to be scheduled, because the installation requires a server reboot. If passwords are being managed in 探花大神 or authentication is being delegated to AD, the import agent can be installed on a member server(s). Password complexity requirements in AD and 探花大神 should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements. Importing, such as Domain Admins, into 探花大神 from AD or managing them in AD from 探花大神 isn’t supported. The AD sync agent does not need to be installed on all servers. Connect Keys are one-time use keys required for installing an agent on a new AD server. Warning: Connect keys are only valid for 7 days. We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

Two-way Sync 鈥� Single Domain Workflow

Two-way Sync 鈥� Multiple Domain Workflow

Manage user, groups, passwords in 探花大神

This configuration supports organizations looking to migrate away from AD completely and organizations that have already significantly reduced the resources being manged by AD. Use Cases Use 探花大神 as the Primary Identity Provider (the source of truth) for user identities and groups and provide access to Cloud resources. You only want users to change passwords from the 探花大神 User Portal or 探花大神 managed devices Extend user access to the Cloud for one or more of the following: Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. Access to Cloud RADIUS for Wifi and VPN LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters. User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ EntraID / AzureAD and Google Workspace in real-time Add support for non-Windows devices: Linux, Mac, iOS, and Android Maintain an AD footprint but only for mission critical Windows servers, such as: Business critical applications that must stay on-prem. File and printer servers that cannot go away. Domain Controllers, but likely fewer DC’s in fewer locations. Import users from Cloud solutions that are not compatible with AD, such as an HRIS system Import users into 探花大神 and then sync those users from 探花大神 into AD. You want to reduce the role of AD in your environment OR you are in the final phase of your migration away from AD. Benefits Future Flexibility & Agility Once a user identity is in the Cloud, it can be extended more easily. Option to take advantage of all capabilities available in 探花大神’s Open Directory Platform with minimal effort, no need to find another point solution. Automated Offboarding Deactivating a user in 探花大神 will automatically suspend that user in AD within 5 seconds,resulting in a forced logoff on the user’s computer, the removal of access to the 探花大神 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc., and removal of access to AD managed resources. Easy deployment of non-Windows devices to users. Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device. Simplified end-user computer management Remove the need for AD Domain Controller connectivity for all end-user computers

This configuration supports organizations looking to migrate away from AD completely and organizations that have already significantly reduced the resources being manged by AD.

Use Cases

Use 探花大神 as the Primary Identity Provider (the source of truth) for user identities and groups and provide access to Cloud resources.
You only want users to change passwords from the 探花大神 User Portal or 探花大神 managed devices
Extend user access to the Cloud for one or more of the following:

Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning.
Access to Cloud RADIUS for Wifi and VPN
LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as kubernetes clusters.
User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/ EntraID / AzureAD and Google Workspace in real-time

Add support for non-Windows devices: Linux, Mac, iOS, and Android
Maintain an AD footprint but only for mission critical Windows servers, such as:

Business critical applications that must stay on-prem.
File and printer servers that cannot go away.
Domain Controllers, but likely fewer DC’s in fewer locations.

Import users from Cloud solutions that are not compatible with AD, such as an HRIS system

Import users into 探花大神 and then sync those users from 探花大神 into AD.

You want to reduce the role of AD in your environment OR you are in the final phase of your migration away from AD.

Benefits

Future Flexibility & Agility

Once a user identity is in the Cloud, it can be extended more easily.
Option to take advantage of all capabilities available in 探花大神’s Open Directory Platform with minimal effort, no need to find another point solution.

Automated Offboarding

Deactivating a user in 探花大神 will automatically suspend that user in AD within 5 seconds,resulting in a forced logoff on the user’s computer, the removal of access to the 探花大神 managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc., and removal of access to AD managed resources.

Easy deployment of non-Windows devices to users.

Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.

Simplified end-user computer management

Remove the need for AD Domain Controller connectivity for all end-user computers

探花大神

Use Cases

Identity Management

Access Management

Device Management

SaaS Management

Become a Partner

Partner Resources

Engage

Learn

Support