For IT admins at many organizations, on-prem domain controllers are a fact of life. Today’s companies can achieve the same results for access control and system management without a domain controller by opting for cloud-based directory services, but if your IT environment includes a large number of Windows® machines, you might still be relying on a Microsoft® domain controller.
Do you have a contingency plan if your domain controller goes down? If it does end up failing, you’re going to be in a predicament that’s both disruptive to your productivity and costly to your business.
JumpCloud’s cloud-based directory service is natively architected for high availability and redundancy across the globe, so it can help save the day when your domain controller goes down. JumpCloud can assist in the replacement or extension of your current Active Directory domain to the cloud using its own proprietary directory service.
As long as your users have HTTPS/443 access, their access to different resources can be managed entirely from your web browser. With this cloud-based solution, you no longer have to worry about your hardware server’s health, redundancy, or maintaining database integrity of the Active Directory® (AD) domain controllers.
In this article, we’ll go over some of the scenarios that make an environment especially prone to AD failure while discovering how JumpCloud can help in these situations.
What can cause domain controllers to go down?
There are different risks to a domain controller’s vitality depending on where and how it’s hosted. If you’re running a traditional AD domain on Windows servers in a server rack onsite, several factors could cause domain controllers to go down or become unreliable. These scenarios include power outages, network outages, AD database corruption, and hardware failure.
Those are just a few ways that a domain controller or your AD domain could be crippled. Even worse is if you’re running a single domain controller in a domain with no AD database backups, secondary domain controllers, or additional hardware available to reinstall Windows Server and Active Directory.
Running Active Directory on servers locally may bring some benefits to the company and its users, but without a proper crisis plan or backup in place, getting AD back to its original state might be impossible without a total rebuild. Rebuilds could take admins hours—if not days—depending on factors such as the number of users, computers, objects, and policies. Backups and redundancy are essential to running a proper AD domain. If the environment doesn’t have a way to be backed up, then a full rebuild may be the only way to get Active Directory up and running again.
Keeping up with licenses and versions can be another expense and chore for your IT admins. In January 2020, Microsoft deprecated Server 2008 R2, stopping support for this and prior versions of their operating system. If the domain controllers have a critical failure, it could be in an unsupported or unrecoverable state, putting your business’s security and operations at risk.
Single Domain Controller Scenarios & JumpCloud
Many small and medium sized businesses running Active Directory might also be running a single domain controller in their domain. This could be due to complexity, cost, or user count.
In this type of environment, AD domain controllers should be continuously backed up or have multiple instances so that replication and high availability are sustained. Creating a highly available and redundant domain with proper backups, disaster recovery plans, and stability comes at an increased cost and complexity. Extra hardware, dedicated offsite real estate, networking gear, and licensing might all come into play when creating a secondary domain controller.
JumpCloud’s Directory-as-a-Service extends your current AD domain users, groups, and their credentials into its cloud-based directory platform. JumpCloud’s Active Directory Integration (ADI) tool allows changes to users, passwords, and user-state within a 90 second cadence leveraging two agents: AD Import and AD Sync.
By leveraging JumpCloud, you can extend your Active Directory’s users and their credentials to connect multiple different protocols such as RADIUS, LDAPS, and hundreds of SAML applications. This way if a domain controller were to fail, the only resources that would be unavailable are the domain-bound resources. Meanwhile, all other resources that make work happen (SAML apps, LDAPS connected file shares, RADIUS Wifi, G-Suite, O365, and more) would still be available for employees to access, as these would be managed by JumpCloud while user credentials are in sync with the AD domain.
If a restore is possible in this scenario, the admin could go through Active Directory’s restore process to get the domain back online while their users continue using JumpCloud-bound applications and resources. If there was no restore available or if it was full hardware failure, it might be beneficial to migrate entirely from Active Directory to JumpCloud. JumpCloud has methodologies to manage systems, users, and security policies similar to Active Directory. (See how JumpCloud can help Migrate Users from Active Directory.)
If your domain controller becomes unrecoverable but the hardware remains intact, you could easily repurpose the server to be a local DHCP, DNS, or NTFS file share for your company. This way, you can maintain the server you already have in your environment and repurpose it for other roles and tasks that your company would need without having to look at additional capex or opex costs. JumpCloud can also help manage this repurposed Windows server with its system agent so you can remotely manage the users and policies with ease.
How can JumpCloud save the day when an AD rebuild isn’t possible?
If a disaster scenario occurs and a rebuild isn’t possible for your domain controller, JumpCloud can get your business directory and security needs back up and running in a few different ways.
With JumpCloud’s Active Directory Integration
If you’re running a domain controller while also running JumpCloud’s ADI, your users are exported to JumpCloud along with their passwords in a bisynchronous fashion. This means that your users’ passwords can be changed in either AD or in JumpCloud and will be propagated to the other directory.
If a critical failure occurs on the domain controller where a rebuild or restore isn’t possible, you may want to consider moving from this hybrid configuration entirely into JumpCloud as your primary directory.
Your first step would be to leverage JumpCloud’s Active Directory Migration Utility (ADMU) to help migrate your domain users and domain-bound systems to JumpCloud-managed systems and local users on the Windows systems.
Additionally, you could take a few other steps to help flip the JumpCloud users in your JumpCloud tenant from AD-managed to JumpCloud-managed with the following commands outlined in JumpCloud’s Public GitHub Wiki.
To leverage the commands below, you’ll first need to Install the JumpCloud PowerShell Module, outlined below:
Install-Module JumpCloud -Scope CurrentUser
You can then connect to your JumpCloud tenant using the JumpCloud PowerShell Module using the following command:
Use three copy-pasted commands to leverage JumpCloud’s PowerShell Module:
Setting a singular user from AD-managed to JumpCloud-managed:
Set-JCUser -Username bobby.boy -externally_managed $false
This releases user ‘bobby.boy’ from AD Import or Sync so the user account can be fully managed by JumpCloud.
Get-JCUserGroupMember -GroupName Dev | Set-JCUser -externally_managed $false
This releases all users in the JumpCloud user group ‘Dev’ from AD Bridge so their user accounts can be fully managed by JumpCloud.
Get-JCUser | Set-JCUser -externally_managed $false
This in turn releases the binding to the Active Directory domain and the user will become a user account entirely managed by JumpCloud.
Without JumpCloud’s Active Directory Integration
If your AD domain controller fails or reaches an unrecoverable state without a restore possibility, JumpCloud can step in to become the primary cloud-based directory fulfilling your security and directory needs, entirely from your web browser.
There are several ways to get users into JumpCloud:
- CSV Import (if applicable)
- Office 365 Directory Sync
- G-Suite Directory Sync
JumpCloud integrates with several different directories, creating a secondary method to get your users into JumpCloud to start to build out the services, resources, and security policies you need to meet your compliance requirements.
Once users are imported into JumpCloud, you can then move forward with JumpCloud’s ADMU (Active Directory Migration Utility) to migrate your AD domain-bound Windows systems to JumpCloud-managed systems. This will unbind the system from Active Directory, convert the AD user account to a local user account, and then install the JumpCloud System Agent automatically for you.
Once you’ve got both the users and systems added to JumpCloud, you can simply bind the JumpCloud user to his or her JumpCloud system. As long as the JumpCloud username and Windows local username match, JumpCloud will take over the profile and enforce the password that the JumpCloud user has set. This all happens within 60 seconds of binding.
Enforcing System Policies to specific systems or to entire system groups is much easier than with Active Directory and can be done entirely within the JumpCloud Admin Portal. Check out JumpCloud’s Knowledge Base for more details on System Policies, User Naming Conventions, and User Resource Bindings.
How does JumpCloud’s Directory-as-a-Service avoid a traditional domain controller failure?
JumpCloud was designed to be an alternative to Active Directory and LDAP. It can act as the single, central directory for multiple different resources and protocols such as Office 365 and G Suite to the hundreds of SAML applications your organization might use. It was built on a secure, robust platform in the cloud and there are multiple high-availability zones which are continuously maintained and monitored by our team.
Since it’s vendor and operating system agnostic, JumpCloud is one step ahead of the competition. Its system management capabilities are robust, with a small, light-weight agent that is installed on all of your machines, regardless of OS. Users can log in and access their systems from anywhere, whether it be online or offline.
JumpCloud’s System Agent manages local accounts as well as local system policies. When online, the system agent checks in every 60 seconds to see if there are any updates for the user, system, or associated policies.
In this way, system and user management is entirely done in the cloud—meaning no servers, no RDP, and only one platform to govern your resources. All management and administration is done within a single pane of glass. JumpCloud’s Admin Console gives you and your IT team the flexibility of administering all from within a browser window.
Need MFA as well? We’ve got you covered. JumpCloud provides MFA for systems, applications, and RADIUS-bound networks such as VPNs. Security is always top-of-mind when we develop new and exciting features in the platform. Check out our security practices on our website for more details.
JumpCloud is transparent on its pricing model and is tailored for cloud-forward, mixed platform environments. Your first 10 users are free for life. You pay only for what you need based on two pricing models: Pro and Build-Your-Own-Directory™ (BYOD). The Pro plan includes all protocols, system management, and the base directory, while the BYOD pricing model allows you to pick and choose the different protocols, resources, and items you need for your business. Try JumpCloud today.