JumpCloud® Active Directory® Migration Guide
A short and practical primer on transitioning to Directory-as-a-Service®
Ready to Replace Active Directory?
You are on the verge of implementing JumpCloud, but moving away from Active Directory is no trivial task. You have questions! This short guide will walk you through the process and help answer those burning questions such as “How do I start the process of migrating my users identities out of Active Directory and into JumpCloud? What’s involved, who’s involved, and how long will it take?”
Preparing to Migrate
Directories are the core of your network. They are the technology responsible for authenticating and then authorizing your employees with the resources they need to access.
Because the directory is so critical, it is important to educate your user base on the forthcoming changes to your new JumpCloud Directory. We offer pre-made email templates that make it easy to keep your users informed.
Replacing Active Directory may seem daunting, but it’s a process we help organizations complete successfully every day. You can do this. Let’s begin.
Migrating user accounts from Active Directory to JumpCloud
Identities are at the core of JumpCloud’s directory service. In order to simplify the re-creation of your identities currently managed in Active Directory, Jumpcloud can import user accounts and associated information into its directory. This will enable you to begin running certain authentication chores with selected resources nearly immediately. Here’s how:
A. Exporting AD Users to CSV
AD users can be exported to CSV using this code:
- PS C:\Users\Administrator> import-module activedirectory
- PS C:\Users\Administrator> Get-ADUser -filter * -Properties GivenName,Surname,SamAccountName,userPrincipalName | Select GivenName,Surname,SamAccountName,userPrincipalName | Export-CSV c:\Windows\temp\userlist.csv
This will result in a CSV that will have the first four fields populated. In order to be imported into JumpCloud via our CSVImporter, you will need to have a total of nine fields. You can simply add five additional blank fields:
Or use the remaining fields to continue building user data, including User ID (UID), Group ID (GID), admin privileges, and tagging users to systems:
B. Importing CSV into JumpCloud
JumpCloud provides an importer utility to streamline this process. You can download the latest API Utility rollup on GitHub and use the CSVImporter_os_arch file. Here is the code for importing users on a Windows machine:
- PS C:\Users\Administrator\Downloads> .\CSVImporter_windows_amd64.exe
- Usage of ./CSVImporter:
- -csv="": -csv=<filename>
- -key="": -key=<API-key-value>
- PS C:\Users\Administrator\Downloads> .\CSVImporter_windows_amd64.exe -csv="PATH_TO_CSV" -key="YOUR_API_KEY"
With that, you’ve imported your users into JumpCloud. But keep in mind that this will have no effect on existing accounts until the user is associated with a resource (Step 3).
Inviting and Activating your JumpCloud Users
It’s time for you to invite some, or all, of your users to create their passwords and activate their JumpCloud accounts. This will ensure they can immediately begin accessing resources once they have been bound to JumpCloud.
A. Inviting Users
JumpCloud provides pre-made email templates to make communicating to your users easy. The first email explains the migration to JumpCloud, how it will enable them to access their resources with one set of credentials, and gives simple instructions on what to do.
B. Activating Users in JumpCloud
For a user to become activated, an admin will trigger the account invitation email to be sent to the employee’s inbox. When received, they simply have to:
- Follow the link in the “JumpCloud User Activation” email
- Set a password that is compliant with the password complexity settings
- Setup their account information
- Users can return to their personal portal at any time to update their information at https://console.jumpcloud.com
Note that administrators have various ways to activate user accounts. The email method described above is the most common and allows the employee to set their own password.
Integrating apps and WiFi to authenticate against JumpCloud
With your users’ JumpCloud accounts now active, a logical first set of resources to provide access to as a ‘transitionary’ step away from Active Directory are applications and WiFi access through JumpCloud’s RADIUS service.
Here is some guidance on how this is accomplished in JumpCloud:
A. Binding Applications to JumpCloud through LDAP
JumpCloud’s LDAP-as-a-Service enables applications and other resources to be tethered to JumpCloud exactly as they can be tethered to an OpenLDAP instance. To set up the LDAP capabilities of JumpCloud, in general you will:
- Turn ‘On’ the LDAP Service in JumpCloud’s Settings
- Create a service account and enable it as a “BindDN’ or Binding service user account [Learn How]
- Choose an application to tether to JumpCloud and configure it to defer to JumpCloud’s LDAP endpoint [Example]
JumpCloud’s LDAP supports grouping structures as well, again, exactly as you can create them in LDAP or Active Directory. Read more here about JumpCloud’s LDAP service.
B. Binding Applications to JumpCloud through SAML for Single Sign-On
While you may be using JumpCloud’s LDAP service for on-premise application authentication and user provisioning, the product also offers support for web-application single sign-on (SSO) through the SAML 2.0 protocol.
We’ve got a full guide to setting up SSO. But here’s a quick run-down:
- Configure the service provider to defer to an identity provider (e.g. JumpCloud) for authentication
- Create and configure the service provider settings in JumpCloud’s Application section
- Create a Tag for the app to restrict authentication to only those employees who should have access
C. Authenticating users to your WiFi with JumpCloud’s RADIUS Service
Like our cloud-based LDAP service, JumpCloud also offers cloud-based RADIUS services. You can use this to individually authenticate your employees against wireless hubs, VPN clients and other resources.
This process varies by vendor, so check out our RADIUS overview with links to docs with specific instructions. The WAP device must have support for RADIUS via PEAP or EAP/TTLS.
Converting AD bound systems and users
With your JumpCloud users activated and an initial set of resources connected, it’s time to convert your Windows machines to connect to JumpCloud. Since they were once tethered to your Active Directory domain controllers, each system and Active Directory-managed user accounts must be ‘unbound’ to enable JumpCloud to act as the directory service and take ownership.
Here are the steps:
A. Convert AD users to local accounts
This step can be automated using the ForensiT User Profile Wizard tool. Don’t convert AD users to local accounts until you are ready to go live and retire your Domain Controllers.
Once you’ve completed the conversion and validated that the local account exists, you can remove the system from the domain.
B. Deploy the JumpCloud Agent
JumpCloud manages systems via a lightweight agent for Windows, macOS, and Linux devices. Once installed, the JumpCloud agent grants admins remote management of systems.
This can be achieved in one of two ways:
C. Bind the user to the system
Within the JumpCloud admin console, enter User details > Systems, then select the appropriate system; and/or associate them with an applicable Tag.
Allow 60 seconds for the synchronization to complete. When the user logouts and logs back in with their JumpCloud account password, they’ll be bound to the appropriate system.
Done! Sunsetting your Active Directory Domain Controllers
With the four steps above now completed, JumpCloud is now able to act as the authoritative source for the resources your employees need, most notably their computers, their apps and WiFi based networks.
Here’s a pre-launch checklist:
- JumpCloud Agent is installed
- System status is green
- Users exist in the JumpCloud directory
- Tags created (if applicable)
- Usernames match between JumpCloud and the local system
You are now free to sunset your Active Directory Domain Controllers. With that, you have officially moved your directory to the cloud.
Questions? We’re Here to Help
Every infrastructure is unique. We’re always available to answer any questions about your Active Directory migration. Here’s what you can do to keep moving forward:
- Contact Sales if you have any questions
- Try out our JumpStart Program for full support and unlimited users for 30 days
If you want more in-depth instructions, you can dive into the full Migration Strategy and Implementation Guide (pdf)