Configure ADI: Manage users, groups and passwords in AD, JumpCloud, or both

The JumpCloud Active Directory Integration (ADI) enables the syncing of users, groups, and passwords between JumpCloud and on-premise or off-premise AD. As covered in Get Started: Active Directory Integration, the ADI uses two agents: an Import Agent and a Sync Agent that can be installed in three (3) configurations which are based on where you want to manage users, groups, and passwords:

  1. Manage users, groups, and passwords in AD
  2. Manage users, groups, and passwords in JumpCloud
  3. Manage users and passwords in either system, or both

This article provides a step-by-step guide for configuring ADI to manage users, security groups, and passwords in AD, JumpCloud, or both. This configuration provides the greatest flexibility. It allows AD and JumpCloud to manage user credentials and attributes together in unison, a full two-way sync. Users are able to change passwords within either AD or JumpCloud. It also supports a hybrid approach where specific information is managed in one system and other information is managed in the other system:

  • Data syncs bidirectionally between JumpCloud and AD.
  • Passwords managed in either system or both.
  • Users created, updated, and deactivated in either system or both.
  • User (security) groups created and managed in either system or both.
  • Group membership managed in either system or both.

System Requirements

  • 64-bit Windows Server (versions 2012, 2016, 2019, 2022)
    • Server Core installation is also supported for Windows Server versions 2016, 2019, and 2022.
  • 15MB disk space
  • 10MB RAM

Overview

  • Use both the ADI import agent and ADI sync agent.
  • Install agents on either domain controllers (DCs) or member servers.

Important:

To sync passwords from AD to JumpCloud, the import agent must be installed on all DCs.

  • Add users and security groups under the ADI security group in AD to sync from AD to JumpCloud.
  • Assign users and user groups to the AD instance in JumpCloud to sync from JumpCloud to AD.

Use Cases

  • Allow users to change passwords in JumpCloud, from JumpCloud managed device, and within AD.
  • Enable JumpCloud and AD to share responsibility over the user identities.
  • Add support for a mixed OS fleet and non-AD bound devices.
  • Extend user access to the Cloud for one or more of the following:
    • Access to SaaS applications using industry standard protocols SAML 2.0, and OIDC, for SSO, and SCIM for provisioning, syncing and deprovisioning. 
    • Access to Cloud RADIUS for Wifi and VPN.
    • LDAP based user auth for NAS drive mappings, networking gear, or logins to things such as Kubernetes clusters.
    • User provisioning, syncing, deprovisioning and access control to other Cloud Directories such as M365/Entra ID and Google Workspace in real-time.
  • Maintain an AD footprint but only for mission critical Windows servers, such as:
    • Business critical applications that must stay on-prem.
    • File and printer servers that cannot go away.
    • Domain Controllers, but likely fewer DC’s in fewer locations.
  • Manage profiles in one system and passwords in the other:
    • Manage passwords in JumpCloud to control credentials for Cloud resources and manage user profiles in AD to propagate the same information across all Microsoft solutions.
    • Manage passwords in AD for compliance purposes and manage profiles in JumpCloud to propagate to SaaS apps and other Cloud resources.
  • Import users from Cloud solutions that are not compatible with AD, such as an HRIS system:
    • Import users into JumpCloud and then sync those users from JumpCloud into AD.
  • Migrate away from AD completely.

Benefits

  • Future Flexibility & Agility
    • Once a user identity is in the Cloud, it can be extended more easily.
    • Option to take advantage of all capabilities available in JumpCloud’s Open Directory Platform with minimal effort, no need to find another point solution.
  • Automated Offboarding
    • Deactivating a user in AD will automatically suspended that user in JumpCloud within 60 seconds,resulting in a forced logoff on the user’s computer and the removal of access to the JumpCloud managed resources assigned to them, such as, SSO, RADIUS, LDAP, Password Manager, etc.
  • Easy deployment of non-Windows devices to users.
    • Let users pick between Windows, Mac or Linux, while still being able to enforce policies, push software, control OS patching, take remote control, and enforce MFA on that device.
  • Simplified end-user computer management
    • Remove the need for AD Domain Controller connectivity for all end-user computers. 
  • Users managed in the Cloud
    • You can create, suspend, manage users, passwords, and security group membership for JumpCloud. This saves you time by spent RDP’d into the DC’s and in the Active Directory Users and Computers (ADUC) interface.

Considerations

Important

  • API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.
  • If passwords are being managed in AD, an import agent must be installed on all Domain Controllers and downtime will need to be scheduled, because the installation requires a server reboot.
  • If passwords are being managed in JumpCloud, the import agent can be installed on a member server(s).
  • Password complexity requirements in AD and JumpCloud should be as closely aligned as possible to avoid passwords being rejected and failing to sync due to not meeting the complexity requirements.
  • Importing privileged user accounts, such as Domain Admins, into JumpCloud from AD or managing them in AD from JumpCloud isn’t supported.
  • The AD sync agent does not need to be installed on all servers.
  • Connect Keys are one-time use keys required for installing the sync agent on a new AD server.
  • We STRONGLY recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.
  • When multiple AD sync agents are installed, one is designated as the primary agent by the ADI service. All create and change requests are sent to that agent. If that agent becomes unavailable, another active sync agent is automatically designated as the primary.

Regular

  • The user attributes that sync are:
    • First Name
    • Last Name
    • Username
    • Email
  • Users you wish to sync from AD into JumpCloud or JumpCloud into AD must have defined <First Name> and <Last Name> attributes, i.e., the first name and last name fields cannot be empty.
  • The JumpCloud ADI import and sync agent services use TLS for all communication. If no network connectivity exists to JumpCloud, the ADI won’t work properly. 
  • An ADI integration specific Security Group (e.g., “JumpCloud”) must be configured within the root user container or root OU to import and sync users from AD to JumpCloud:
    • To sync users from AD to JumpCloud, users must be members of this ADI specific Security Group or members of a Security Group nested under this Security Group. 

Note:

In multi-domain environments, the security group must have a unique name within each domain (e.g., “JumpCloud (mydomain1)” and “JumpCloud (mydomain2)”)

  • The AD Domain and Root User container DN must be the same for both the AD import agent and AD sync agent. 
  • Non-standard ASCII characters are not supported in the Root User DN. 
  • We recommend that all users you plan to import from AD into JumpCloud live in a single OU or be nested underneath a chosen OU (Root user container) in AD. This can be the default CN=Users container in AD or an alternate custom OU in the directory.
    • If you relocate users in AD outside of the Root User Container, you could disrupt password synchronization, or remove users and groups from your JumpCloud instance, along with any associated data and resource associations.
  • If you relocate users in AD outside of the Root User Container, you could disrupt password synchronization, or remove users and 
  • ADI Import Agent settings in the jcadimportagent.config.json file control the behaviors that occur in JumpCloud when certain actions are taken on the user in AD.
    • Removing users from the JumpCloud integration Security Group within AD will either delete those users in JumpCloud and deprovision them from all bound resources or disconnect them from the AD integration, leaving them active in JumpCloud and allowing them to be managed in JumpCloud directly. The behavior is controlled by the UserDissociationAction setting in AD Import Agent configuration file.
  • You can specify which users to sync from AD to JumpCloud in 2 ways:
    • Individually by adding them to the security group created for this integration, located in the designated OU. 
    • Using groups located in or nested in the designated Root user container by adding those groups as a member of the JumpCloud Integration Security Group.
  • Importing privileged user accounts, such as Domain Admins in AD, from AD into your JumpCloud or managing those users in AD from JumpCloud isn’t supported. AD flags privileged accounts with “adminCount=1” in AD. The JumpCloud ADI Agents are not able to effectively manage those privileged accounts, thus causing errors and issues with User, attribute, and Password updates to JumpCloud. 
  • Each time you download an AD Sync agent, you receive a new Connect Key for that installation. Connect Keys are one-time use keys. Connect keys are not needed for updating an existing ADI sync agent.
  • The passwords for the server accounts used by the integration (e.g., jcimport and jcsync)should be rotated periodically for security reasons.
  • A reinstall of the same ADI import agent is treated as an update.
  • When updating an existing agent installation, only minimal installation screens are shown.
    • Directory for where the installation should occur
    • Finish screen
  • Demoting a DC installation to a member server and promoting a member server installation to a DC aren’t supported. The agent(s) must be uninstalled first and then installed on the other type of server.
  • As of ADI import agent 2.x, the following changes were made:
    • The default location for all agent related installation, configuration, and log files is C:\Program Files\JumpCloud\AD Integration\.
    • All references to AD Bridge changed to AD Import.
    • The jcimport username & password and the API key are stored in the registry instead of the ADI Import Agent configuration file. Both the password and API key are encrypted and the values in the registry are replaced with the encrypted value when the import agent starts.
  • As of ADI sync agent version 4.x, the following changes were made:
    • The default location for all agent related installation, configuration, and log files is C:\Program Files\JumpCloud\AD Integration\.
    • The ADI sync agent can be installed independently of the ADI import agent.
    • The ADI sync agent connect key is encrypted and the value in the registry is replaced with the encrypted value when the agent starts.
  • JumpCloud has a tool, called the ADMU, which is used to migrate end-user Windows computers from AD to JumpCloud.

Important:

The AD import agent installation requires a server reboot to complete the installation process.

Note:

You DO NOT need to reboot the servers after the AD Sync Agent installation.

Workflows

Two-way sync – single domain

Two-way sync – multiple domains

When the JumpCloud ADI is configured for AD Import and AD Sync, the following is the general user identity workflow and expected behavior for any user, group, and password changes after the AD Import and AD Sync agents have been configured:

  1. User identities can be created and managed from either JumpCloud or AD.
  2. An integration specific Security Group is configured within the root user container or root OU (e.g., “JumpCloud”).

Note:

In multi-domain environments, the security group must have a unique name within each domain (e.g., “JumpCloud (mydomain1)” and “JumpCloud (mydomain2)”).

  1. To sync user identities from AD to JumpCloud, user identities must be either members of the JumpCloud ADI Security Group directly, or members of another Security Group nested under that JumpCloud ADI Security Group. 
  2. To sync user identities from JumpCloud to AD, users must be connected directly to the ADI domain instance in JumpCloud or members of one or more user groups connected to the integration.
  3. Passwords can be changed within AD, JumpCloud, and JumpCloud-managed devices. After a password change, the new credential is then pushed to their corresponding directory user account within 90 seconds via the Import Agent or Sync Agent. 
  4. User Attribute changes can be updated within AD or JumpCloud. After any user attribute changes (i.e., First Name, Last Name, Username, E-mail, and Password), the JumpCloud Import or Sync Agent will sync these updates to the corresponding directory within 90 seconds. 
  5. Disabling or removing user Accounts will be dependent on the outcome needed and the UserDissociationAction setting in the AD import configuration file. The JumpCloud Import or Sync Agent will update the user-state for their correlating directory’s user account within 90 seconds.

Installation Steps Overview

The main steps you will take to install and configure AD for bi-directional use are:

  1. Complete the prerequisite checklist.
  2. Determine the Root User container in AD.
  3. Create the JumpCloud ADI Integration Security Group in AD.
  4. Create the AD Import Service Account.
  5. Create the AD Sync Service Account.
  6. Delegate control for the AD Import and AD Sync Service Accounts.
  7. Create an AD domain instance in JumpCloud.
  8. Select your configuration and download the agents.
  9. Run the the AD Import Agent installation wizard.
  10. Reboot each AD server where the import agent was installed.
  11. Verify the Import Agent Service started.
  12. Complete post-installation AD import agent configuration on each DC.
  13. Run the AD Sync Agent installation wizard.
  14. Verify AD sync and AD import agents in the JumpCloud Admin Portal.

Prerequisite Checklist

Before installing the AD import and AD sync agents, we recommend completing each of the following checklist items before continuing.

  1. Know your AD Domain Admin credentials.
  2. Decide whether you want to install the sync agents on your AD domain’s non-DC Domain Member Servers or Domain Controllers (DCs).
    • If you are installing theSchedule Downtime when installing the import agent on a DC – installation requires server reboot! 
    • If installing the AD sync agent on DCs, we recommend that you install the AD Sync agent on your Primary DC and any DC impacted by extended replication delays.

Important:

ADI import agent should only be installed on a member server when passwords are being managed from JumpCloud only (JumpCloud is the password authority). Passwords cannot be synced from AD to JumpCloud when the ADI import agent is installed on a member server.

  1. Verify you have access to all DCs or non-DC Domain Member Servers in the AD domain.
  2. Ensure your DCs or non-DC Domain Member Servers are running on a JumpCloud supported 64-bit Windows Server version (2012, 2016, 2019, 2022).
  3. Verify DCs or non-DC Domain Member Servers have networking access to the internet and are able to communicate outbound to console.jumpcoud.com over HTTPS port 443. 
  4. Create a dedicated Administrator account in JumpCloud that is specifically for the ADI.

Important:

API tokens are specific to each Admin account. Create a separate account for this integration to prevent the possibility of breaking the ADI connectivity to your JumpCloud organization when an Admin account is deleted.

  1. Generate and securely store the API key for the ADI dedicated Administration account.
  2. Verify all users to be synced from AD to JumpCloud and JumpCloud to AD have a value for first name and last name.
  3. Align password complexity requirements between AD and JumpCloud as closely as possible. Otherwise, passwords may not replicate if they’re rejected by the destination directory’s complexity requirements.
  4. (Recommended) Verify all users you plan to import into JumpCloud live in a single OU or be nested underneath a chosen OU (Root user container) in AD. This can be the default CN=Users container in AD or an alternate custom OU in the directory. 
  5. Review Advanced Configurations for the Active Directory Import Agent to understand the configuration settings available for the import agent and note any default values that need to be changed as part of the installation.
  6. (Strongly recommended) Install LDAPS.

Important:

We strongly recommend installing and using LDAPS for the ADI. Configuring and using LDAPS on the Domain Controller that the Jumpcloud ADI agents will connect to secures any sensitive information that is exchanged between the Jumpcloud agents and the Domain Controller and protects against malicious users.

Prepare for the Agent Installations in AD

Determine Root User Container

Prepare for the agent installations in AD by determining the Root User Container.

Important:

The AD Domain and Root User container DN needs to be the same for both the AD import agent and AD sync agent.

AD Import Agent

The JumpCloud AD Import agent is designed to integrate with AD’s default ‘Users’ container (CN=Users) which is pre-populated in the AD Users and Computers (ADUC) interface and labeled as “Users” as shown in the following image. (This is a default domain with no custom containers. In this use-case the Root Container is CN=Users;DC=example;DC=com). 

The import agent installation wizard assumes that this is the Root User container and uses this path in your AD Import agent configuration file. During installation, you’re prompted for the domain components (DC) used in your AD Domain (i.e., DC=example;DC=com). The installation wizard uses this base level domain information to construct the following Root user container DN (Distinguished Name).

EXAMPLE: CN=Users;DC=example;DC=com

Note:

If CN=Users isn’t the Root User Container you want to use in your AD instance, you can update the path in the agent configuration file, jcadimportagent.config.json, after the AD Import agent install completes. This is covered in the Configure AD Import Agent section below

AD Sync Agent

The AD sync agent installation wizard prompts you to enter the Root User Container during the JumpCloud AD sync agent installation. 

If you want to use AD’s default Root User container for the JumpCloud AD Integration, the value you will need to enter during the AD sync agent installation is CN=Users;DC=example;DC=com

If AD’s default Root User container (CN=Users) isn’t the Root User Container you want to use for your JumpCloud AD integration, follow the steps below to get the distinguishedName value you will need to enter during the AD sync agent installation. You will need to follow similar steps to update the Root User Container value in the AD import after the AD Import agent install completes.

  1. Verify the full LDAP path for the chosen Root user container you have selected in ADUC:
    1. From the ADUC panel’s View menu, enable Advanced Features
    2. Right-click the container and select Properties
    3. Select the Attribute Editor tab. 
    4. Select the “distinguishedName” attribute, then click View.
    5. Note the value. It will need to be entered during the AD sync agent installation.

Create the JumpCloud ADI Integration Security Group in AD

A Security Group for the integration must be created within the Root User Container you’ve defined in the previous step. This Security Group is required. Any member of this group will be synced from AD to JumpCloud.

Warning:

If you do not create this group or give it a unique name across domains, the ADI sync from AD to JumpCloud will fail to function properly.

  1. Open the ADUC Menu, click the Start button, type “dsa” and click the Active Directory Users and Computers icon.
  2. Find your Root User Container.
  3. Right-click the Root User Container’s folder and click New > Group.
    1. Ensure the Security Group is a Global Security Group.
    2. Give the Security Group a name that helps identify it as the group used by the ADI (e.g., “JumpCloud” for single domain environments, “JumpCloud (Domain)” for multi-domain environments).
    3. Click OK.

Warning:

In multi-domain environments, the security group must have a unique name within each domain (e.g., “JumpCloud (mydomain1)” and “JumpCloud (mydomain2)”).

Create the AD Import Service Account in AD

After you identify the ‘Root user DN’ that you want to use with your JumpCloud integration, you proceed by creating a new AD-based service account (standard user account) that allows the JumpCloud AD import agent to manage users and groups.

  1. Open the ADUC Menu, click the Start button, type “dsa” and click the Active Directory Users and Computers icon.
  2. Find your Root User Container.
  3. Right-click the container and click New > User.

Note:

This user cannot:

  • Be a Domain Administrator.
  • Be a member of the JumpCloud integration security group.
  • Have a username of “JumpCloud”.
  1. Enter the following values for the JumpCloud Import Service Account user:
    1. First Name: JumpCloud
    2. Last Name: Import
    3. User logon name: jcimport

Important:

Use jcimport to distinguish what this user is for and to which agent it is attached. The user logon name cannot be “JumpCloud”.

  1. Enter a password for the jcimport user and ensure that it is set to Never Expire since this will be a service account for the Import Agent.

Note:

This password should still be rotated periodically for security reasons.

  1. Click Save.

Create the AD Sync Service Account in AD

After you identify the Root User Container (‘Root user DN’) that you want to use with your JumpCloud AD integration, create a new AD-based service account (standard user account) that allows the JumpCloud AD sync agent to manage users and groups.

  1. Open the ADUC Menu, click the Start button, type “dsa” and click the Active Directory Users and Computers icon.
  2. Find your Root User Container, right-click the container and click New > User.

Note:

This user cannot:

  • Be a Domain Administrator.
  • Have a username of “JumpCloud”.
  • Be a member of the JumpCloud security group.
  1. Enter the following values for the JumpCloud Import Service Account user:
    1. First Name: JumpCloud
    2. Last Name: Sync
    3. User logon name: jcsync

Important:

Use jcsync to distinguish what this user is for and to which agent it is attached. The user logon name cannot be “JumpCloud”.

Warning:

The user logon name cannot be “JumpCloud”.

  1. Click Next
  2. Enter a password for the jcsync user and ensure that it is set to Never Expire since this will be a service account for the Sync Agent.

Note:

This password should still be rotated periodically for security reasons.

  1. Click Save.

Delegate Control for the AD Import and Sync Service Accounts in AD

Note:

If you will be using a Root user container DN other than the ‘Users’ default, you need to do these steps on that chosen container in your AD.

  1. Navigate to the Root User Container in ADUC that you have selected, right-click the container and select Delegate Control. This launches the Delegation of Control Wizard.
  2. Click Next.
  3. Add the newly created service account user to the Delegation of Control Wizard.
  4. Click Next, then select the following tasks:
    1. Create, delete, and manage user accounts.
    2. Reset user passwords and force password change at next logon.
    3. Read all user information.
    4. Create, delete, and manage groups.
    5. Modify the membership of a group.
  5. Click Next, then click Finish at the final screen.
  6. Right-click the Root User Container in ADUC again and select Delegate Control
  7. Click Next.
  8. Add the JumpCloud Import Agent account to the Delegation of Control Wizard.
  9. Click Next, then select Read all user information.
  10. Click Next, then click Finish at the final screen.

Install the AD Import and Sync Agents

Create an ADI Instance in JumpCloud

Create a new ADI domain instance in JumpCloud if one does not already exist.

  1. Log in to the JumpCloud Admin Portal.
  2. Go to Directory Integrations > Active Directory.
  3. Click ( + Add ADI Domain ).
  4. Enter the name of an Active Directory domain that you want to integrate with your JumpCloud tenant. For example, “DC=example;DC=com”.

Note:

The “DC” must be in capital letters. Each value must be separated with a semicolon (;), not a comma. There should be no spaces. The domain case must be the same as it is in the AD import configuration file.

  1. Click Save.

Select your configuration

  1. Expand the Manage users and passwords in either system, or both (most flexible) section.
  2. Click the checkbox for This is my use case.

Download the agents

  1. Click Download Import Agent.
  2. Choose the location where the agent will be downloaded.
  3. Click Save
  4. After downloading the agent, you’re reminded of the two values, your API key and your Org ID, that will be needed for the installation of the Import Agent.

Important:

If you already generated an API key but didn’t store it, you will need to regenerate it. Regenerating an API key will break any currently installed import agents and all other integrations using that API key. Be cautious with this option. See Rotate the Active Directory Import API Key for more information.

  1. Click Download Import Agent.
  2. Choose the location where the agent will be downloaded.
  3. Click Save
  4. You will be presented with the AD Sync Agent Installation Connect Key. This is the unique one-time use key that is required to connect the Sync Agent to your JumpCloud Org and this AD domain Integration within JumpCloud. You will input this key during the AD Sync Agent install in the steps below. 
  1. Save the downloaded installerS to the AD member servers or DC on which the agents will be installed.

Run the AD Import Agent Installation Wizard

Now you are ready to install the JumpCloud AD import agent.

Note:

If you are installing the AD import agent on your DCs, the AD import agent must be installed on all of the write capable DCs within the domain. This does not apply to Read-Only DCs (RODCs). 

If you are installing the AD import agent on non-DC domain member servers, we recommend installing on at least 2 servers.

  1. Browse to where you saved the AD Import installer file on the server. 
  2. Right-click the file, then select Run as administrator.
  3. The Install Wizard will start and prompt you to agree to the C++ license terms and conditions.
  1. Select the type of server on which you are installing the AD import agent

  1. If you selected Domain Controller, skip to step 9.
  2. If you selected Member Server for the server type, provide the FQDN or IP address for that server. We recommend using FQDN.

  1. Confirm your LDAP connection type and decide if you want to allow the use of LDAP if the connection using secure LDAP fails.d

Warning:

We STRONGLY recommend against allowing the use of LDAP if the connection using secure LDAP fails. LDAP is not secure and increases your potential risk of cyberattacks as it sends unencrypted data. Attackers can spy on the connection and intercept packets sent over the network. We STRONGLY recommend the use of LDAPS only for this integration.

Important:

If are installing the AD import agent on a DC and have not or cannot install LDAPS or TLS, you must select the "Allow insecure connection (LDAP) to a Domain Controller if secure connection fails"option. Otherwise, the integration will fail.

  1. If you checked Allow insecure connection (LDAP) to a Domain Controller, if secure connection fails, you must confirm that you understand the risk before you can proceed.
  1. Enter the AD Distinguished Name (DN) of the domain and click Next.

Note:

The domain name should match the case of the domain name entered in the JumpCloud Admin Portal. For example, example.com should be entered as "DC=example;DC=com".

  1. Enter the jcimport account and password, then click Next. Be sure to use the NetBIOS domain format and not the full DNS name. (For example, example\jcimport and the user password).

Tip:

If you’re unsure of the NetBIOS name, right-click the domain name in ADUC and select Properties. Use the value labeled Domain name (pre-Windows 2000).

  1. Enter the JumpCloud API Key for the dedicated Admin account created for the ADI, then click Next.
  1. Enter your JumpCloud Organization ID, then click Next.
  1. On Selecting the File Destination, leave the defaults and click Next.
  1. Click Install. The import agent will take about 1 to 2 minutes to install.
  1. Select Yes, restart the computer now to reboot your DC and click Finish.

Note:

You must reboot your DCs after the AD Import Agent installation!

Verify the JumpCloud AD Import Agent Service Started

Once your DC restarted, verify that the service started by confirming display name: “JumpCloud AD Integration Import Agent” ; service name: “JCADImportAgent”; is running in services.msc. If the service fails to start, you can review the agent logs at C:\Program Files\JumpCloud\AD Integration\JumpCloud_AD_Import.log 

Configure AD Import Agent

There are several configuration options that you should implement post-installation of the AD import agent. The recommended configuration updates are: 

  • Update LDAPS configuration file.
  • Modify the Root User Container Used by AD Import.
  • Update the security group name if your environment has multiple domains.

Verify and update default import settings described in Advanced Configurations for AD Import.

Tip:

To change any of the configuration options, start by opening the AD Import Agent configuration file using a text editor: C:\Program Files\JumpCloud\AD Integration\AD Import\jcadimportagent.config.json.

Modify the Root User Container used by AD Import

Important:

 The AD Domain and Root User container DN needs to be the same for both the AD import agent and AD sync agent.

If your Root User Container is the default CN=Users;DC=company;DC=com, you can skip this section.

If you’re using a different Root user container for managing AD resources with the AD Import agent, follow the steps below to modify the User container location in the agent configuration json file. 

  1. Verify the full LDAP path for the chosen Root user container you have selected in ADUC:
    1. From the ADUC panel’s View menu, enable Advanced Features
    2. Right-click the container and select Properties
    3. Select the Attribute Editor tab. 
    4. Select the “distinguishedName” attribute, then click View.
  1. In the AD Import Agent configuration file, replace the CN=Users;DC=company;DC=com reference in the LDAP section of the json configuration file with the “distinguishedName” value from ADUC, leaving the CN=JumpCloud security group reference in place. See the example below.

Important:

Be sure to place semicolons ( ; ) between the values, e.g., “CN=JumpCloud;OU=Corporate Users;DC=contoso;DC=com”

An example of the configuration file that has been changed from the Defaults to match what’s actually the true Root User Container. In the below example config, Example’s Root User Container needs to be, CN=JumpCloud;OU=Corporate Users;DC=example;DC=com.

Note:

You must create or relocate the JumpCloud security group to this Root user container and grant delegated control to the service account for AD Import agent integration. The LDAP values noted in this DN specify the explicit path to the location of the JumpCloud security group in your AD environment.

Modify the Security Group used by AD Import

You will need to update the security group name in the AD import configuration file to match the name you gave the JumpCloud integration Security Group in the Create the JumpCloud ADI Integration Security Group in AD above.

  1. Update the security group reference in the DN, CN=JumpCloud, to match the name you gave the JumpCloud integration security group.

Modify default Advanced Configuration settings for AD Import

Adjust the default configuration settings to control how the import works and what happens to users in JumpCloud when certain actions are taken in AD. These settings are considered advanced configurations. See Advanced Configurations for AD Import for more information.

Save the configuration changes and restart the AD import agent service

Note:

You do not need to restart the DC only restart the service to apply configuration changes.

Once all configuration changes have been made save them and restart the service.

  1. Save the jcadimportagent.config.json file.
  2. Restart the JumpCloud AD Import Agent service using the Windows Service Manager.

Run the AD Sync Agent Installation Wizard 

Now you are ready to install the JumpCloud Sync Agent on one or more member servers or your Primary DC and any DC within the domain that could experience replication delays.

Warning:

If you are installing the AD sync agent on DCs, do not install the AD Sync Agent on Read-Only DCs (RODCs).

  1. Browse to where you saved the AD Integration Sync installer file on your DC. 
  2. Right-click the file, then select Run as administrator.
  3. Once the Installer Wizard appears, click Next.
  1. On the Destination Folder screen, click Next.
  1. Select the type of server on which you are installing the agent, DC or non-DC member server, then click Next.
  1. f you chose Domain Controller, skip to step 9.
  2. If you chose Member Server as your server type, enter the information for the DC to which the member server should connect to sync data from JumpCloud to AD. We recommend using the FQDN for your DC.
  1. Confirm your LDAP connection type and decide if you want to allow the use of LDAP if the connection using secure LDAP fails.

Warning:

We STRONGLY recommend against allowing the use of LDAP if the connection using secure LDAP fails. LDAP is not secure and increases your potential risk of cyberattacks as it sends unencrypted data. Attackers can spy on the connection and intercept packets sent over the network.
We STRONGLY recommend the use of LDAPS only for this integration.

  1. If you checked Allow insecure connection (LDAP) to a Domain Controller, if secure connection fails, you must confirm that you understand the risk before you can proceed.
  1. Enter in the Root User Container you noted in the Determine the Root User Container in AD section above. If you’re using the default AD Root User Container, the value will be CN=Users;DC=company;DC=com. If you’ve chosen another Root User Container, enter the value you noted.
    • In this example, we’ve modified the Root User Container. The value is: OU=Corporate Users;DC=example;DC=com.

Important:

The AD Domain and Root User container DN needs to be the same for both the AD import agent and AD sync agent.

Note:

Case is important when entering the User Root DN, always use capital “OU”, “CN”, and “DC”.

  1. Enter the AD Sync Agent’s Service Account you’ve created. This should be the jcsync User Account you created in the Create the AD Sync Service Account section above. Then click Next.

Note:

Case is important when entering the Windows Login Domain, use the same case that was used when creating the AD domain instance in JumpCloud.

  1. Enter the Connect Key that was presented to you within the JumpCloud Admin Portal after downloading the AD Sync Agent. Then click Next.
  1. Finally, click the Install button to install the AD Sync Agent. This could take up to 3 minutes.

Note:

You DO NOT need to reboot the servers after the AD Sync Agent installation.

Congratulations! You’ve installed the AD Sync Agent. You are ready to verify that the AD Sync Agent is communicating properly.

Verify AD Import and AD Sync

Once you’ve installed the AD import and AD sync agents within your AD environment. You can easily verify that the JumpCloud AD Sync Agent is working. Please ensure the following are present and visible: 

  • The JumpCloud AD Sync Agent should be shown as green and active within the Admin Portal under Directory Integrations > Active Directory > Domain Integration > Domain Agents tab.

Important:

If the AD Sync Agent(s) or the AD Import Agent(s) are showing red or are in a non-connected state, please check services.msc to see if the services are running.

Additionally, 

  • JumpCloud User Group is now within your JumpCloud organization. The JumpCloud User Group should have a User Group icon with an AD badge in the User Group Details pane. See the example below:
    • Navigate to User Management > User Groups. You should see the JumpCloud User Group with a Microsoft badge next to it. Click on the User Group to open up its details.
  • When opened, you can see that the User Group has a Microsoft Badge and is also assigned to AD on the Directories tab.

Next Steps

Please read the Using and Managing the ADI article next.

Want additional assistance from JumpCloud? 

If you’re having issues with getting JumpCloud’s ADI working, try the Troubleshooting Guide. JumpCloud now offers myriad professional services offerings to assist customers with implementing and configuring JumpCloud. If you’re looking for assistance with Migrating from AD, or to integrate AD with JumpCloud, we recommend you reach out to JumpCloud’s Professional Services team on the following page: Professional Services - JumpCloud.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case