By Greg Keller Posted July 20, 2016
We often talk to people who are Microsoft Active Directory experts and, at times, our approach to the next generation of directory services can be a little mind bending for them. When you’ve spent the last decade and a half with one type of technology, that method of doing things becomes second nature. While JumpCloud’s Directory-as-a-Service® platform is serving a similar function – directory services – the way that we have approached the problem is much more modern.
The education challenge, though, remains. For those that understand Active Directory deeply, here’s a little FAQ that may help translate Directory-as-a-Service into Active Directory language. It’s built with the questions AD administrators will most commonly ask our success and product teams as they evaluate our Directory-as-a-Service platform.
You say you are a directory. So what, exactly, is JumpCloud’s ‘Domain Controller’ (DC) and where, exactly, is it?
JumpCloud is a full-fledged directory…as-a-service. Therefore, you do not need to run your own servers (such as a Window Server 2008 or 2012) and set them up as domain controllers with Active Directory. Further, you are not responsible for any requirements for redundancy/failover servers, replication between servers (and the latency that often occurs), and finally managing individual domain controllers for each location of your business. The actual location of this directory is hosted within our highly secure, scalable and global cloud-computing infrastructure.
Resource: Quick Start – 5 Minutes
How do systems, then, tie themselves to the DC?
Systems, such as your employees’ Windows or Mac clients, or Linux servers for that matter, are all connected to the cloud-based directory through the installation of a small, highly secure agent. This agent enables you as administrators to remotely control those hosts to do chores such as user management (adding or removing users or remotely changing their permission levels), execute scripts (more on this below when we talk about policies) and provide you powerful audit logs for your compliance needs. The only thing those agents require is an outbound port 443 connection (outbound from your hosts for security reasons) to communicate with JumpCloud, which occurs at about a 90 second polling-basis.
Resource: Getting Started – Systems
What if the internet is not available? My Windows users with their machines tied to AD can still get on their machines when not connected to the domain or the internet. Can Directory-as-a-Service®?
Your users will be able to log into their machines as normal even if there is no internet connection. JumpCloud’s agent is working with the local operating systems we support. Therefore, it will authenticate the user with their last known good/active and valid password to enable their access to the machine and their local resources – just as you can with Windows and your AD connection. This is an important distinction when compared with Active Directory. Ultimately, AD-controlled machines need to check in with AD at some point or they become disabled and users cannot log in. This isn’t JumpCloud’s model, so you never have to worry about breaking domain trust.
Resource: Getting Started – Users
Do I need VPN?
No! Well, at least not for JumpCloud’s purposes. Our agent does not require a VPN to network securely back to our cloud-based directory. We maintain a highly secure and encrypted connection to manage your systems. This is a significant shift for AD administrators, who have been accustomed to a model where all of their remote employees need to connect back to a central location. With JumpCloud, this is no longer necessary.
Resource: JumpCloud Security Practices
How can I secure those systems? Are there ways to set policies?
Yes! As mentioned above, the agent enables you as an administrator to execute code at any time (on demand or scheduled from JumpCloud) across a wide swath of Windows, Mac and Linux systems. You may write PowerShell as an example to execute policies against Windows…or bash and shell to do similar chores for Mac and Windows. We offer a number of pre-built policies for you to execute out of the box. Think of this functionality as cross-platform GPO-like capabilities.
Resource: Using the Commands Tab
What about DNS? How does this get managed by JumpCloud?
JumpCloud does not act as a Domain Name Server, therefore you will need to have your domain hosted with a secure and reputable service or leverage your other networking infrastructure for this service.
Resource: Replacing AD DNS and DHCP
What about other resources? How do they tie themselves to the DC?
Protocols! JumpCloud supports a wide array of them. Use our LDAP-as-a-Service to bind applications and other resources like VPN clients to authenticate and authorize users against those resources. JumpCloud also supports the concept of groups, so you may do group-based authentication (which is LDAP’s ‘groupOfNames’ principal). Use our RADIUS-as-a-Service to bind resources such as your WiFi or network switches and securely authenticate through EAP/PEAP protocols supported by our RADIUS infrastructure. Use our SAML-based SSO to authenticate against a wide variety of SaaS applications. Finally, the whole product is built upon a progressive REST API to operate JumpCloud 100% programmatically if you desire.
Resource: Guide to JumpCloud Platform Support
What about resources such as printers or network file shares?
Our support of protocols such as LDAP will enable you to bind to and authenticate access to NAS systems such as Synology. Printers too can be bound to Windows workstations through JumpCloud’s agent.
Resource: Command Tab Policy – Adding a Printer.