{"id":82328,"date":"2023-04-26T13:28:35","date_gmt":"2023-04-26T17:28:35","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=82328"},"modified":"2024-11-05T18:37:07","modified_gmt":"2024-11-05T23:37:07","slug":"active-directory-domain-down-solution","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/active-directory-domain-down-solution","title":{"rendered":"How Can JumpCloud Save the Day if Your Active Directory Domain Goes Down?"},"content":{"rendered":"\n

On-prem domain controllers are a fact of life for IT admins at many organizations. You probably inherited whatever IT infrastructure you\u2019re using, but that may just be technical debt. Many companies can achieve the same results for access control and system management without a domain controller by opting for cloud-based directory services. IT environments that have many Windows\u00ae<\/sup> machines can keep their domain controller and<\/em> extend what\u2019s possible for identity and access management (IAM) and manage devices (including non-Windows) via the cloud. <\/p>\n\n\n\n

Not every organization is sold on the benefits of cloud-based IT management, but it’s worth considering because it can also eliminate some of the worst operational risks. Ask yourself, \u201cDo you have a contingency plan if your domain controller goes down?\u201d If it does end up failing, you\u2019re going to be in a predicament that\u2019s both disruptive to your productivity and costly to your business. That scenario is where cloud services will deliver higher availability as well as the capacity to manage identities and securely access resources wherever they may exist.<\/p>\n\n\n\n

JumpCloud\u2019s open directory platform is architected for high availability and redundancy across the globe, so it can help save the day when your domain controller goes down while doing more to manage identities and access than Active Directory (AD) itself. It also assists in the replacement or extension of your current Active Directory domain to the cloud using its open directory. Users access resources using the best authentication methods, entirely from a web browser. With this cloud-based solution, you no longer have to worry about your hardware server\u2019s health<\/a>, redundancy, or maintaining database integrity of AD domain controllers.<\/p>\n\n\n\n

This article covers some of the scenarios that make an environment especially prone to AD failure and discovering how JumpCloud can help in these situations.<\/p>\n\n\n\n

What Can Cause Domain Controllers to Go Down?<\/h2>\n\n\n\n

There are different risks to a domain controller\u2019s uptime depending on how it\u2019s being hosted. Several factors could cause domain controllers to go down or become unreliable if you\u2019re running a traditional AD domain on Windows servers in a server rack on-site. These scenarios include power outages, network outages, AD database corruption, and hardware failure.<\/p>\n\n\n\n

\"ad<\/figure>\n\n\n\n

Those are just a few ways that a domain controller or your AD domain could fail. Running a single domain controller in a domain with no AD database backups, secondary domain controllers, or additional hardware available to reinstall Windows Server and Active Directory is an even worse scenario. That\u2019s not an uncommon situation: hardware is expensive.<\/p>\n\n\n\n

Running Active Directory on servers locally may bring some benefits to the company and its users, but without a proper crisis or backup plan in place, getting AD back to its original state might be impossible without a total rebuild. Rebuilds could take admins hours \u2014 if not days \u2014 depending on factors such as the number of users, computers, objects, and policies. Backups and redundancy are essential to running a proper AD domain. A full rebuild may be the only way to get Active Directory up and running again if the environment isn’t backed up.<\/p>\n\n\n\n

Keeping up with licenses and versions can be another expense and chore for your IT admins. Windows Server\u2019s core licensing model may cost more than you think<\/a>, and licensing for Microsoft\u2019s Azure cloud services (as a failover) is difficult to unpack. Given the associated licensing costs and complexities, domain controllers that have a critical failure could be in an unsupported or unrecoverable state, putting your business\u2019s security and operations at risk.<\/p>\n\n\n\n

Why Not Use Azure AD (AAD) Connect?<\/h3>\n\n\n\n

Microsoft makes it possible to authenticate via the cloud using Azure Active Directory and its AAD Connect middleware. Your domain controller remains the \u201csource of truth\u201d but AAD can handle authentications. There\u2019s a 1:1 relationship between each synced AD object and an AAD tenant. This topology requires a subscription to AAD<\/a> and installing AAD Connect.<\/p>\n\n\n\n

A single domain controller will remain a single point of failure, even with AAD Connect configured with a secondary server in staging mode for disaster recovery. AAD Connect aids in disaster recovery but adds IT overhead. Azure AD Connect cloud sync is a new offering that uses an agent-based approach, but its capabilities are more limited than AAD Connect, i.e., no Azure AD Domain Services<\/a> support. Neither approach will continue to manage your devices. That\u2019s another subscription<\/a>. JumpCloud can be configured as hybrid infrastructure, but also works domainless<\/a>.<\/p>\n\n\n\n

Single Domain Controller Scenarios & JumpCloud<\/h2>\n\n\n\n

Many small and medium-sized businesses (SMBs) running Active Directory might also be running a single domain controller in their domain. This could be due to complexity, cost, or user count.<\/p>\n\n\n\n

AD domain controllers in this type of environment should be continuously backed up or have multiple instances so that replication and high availability are sustained. Creating a highly available and redundant domain with proper backups, disaster recovery plans, and stability comes at an increased cost and complexity. Extra hardware, dedicated off-site real estate, networking gear, and licensing come into play when creating a secondary domain controller.<\/p>\n\n\n\n

\n

Learn more about the total cost of Active Directory<\/a>.<\/p>\n<\/blockquote>\n\n\n\n

JumpCloud\u2019s open directory platform extends your current AD domain users, groups, and their credentials into its cloud-based directory. JumpCloud\u2019s Active Directory Integration<\/a> (ADI) tool allows changes to users, passwords, and user state within a 90 second cadence leveraging two agents: AD Import and AD Sync. JumpCloud extends Active Directory\u2019s users and their credentials to connect multiple different protocols such as RADIUS, LDAPS, and hundreds of SAML applications. Multi-factor authentication (MFA) is environment wide and modern authentication is available for better security and to safeguard against MFA fatigue attacks.\u00a0<\/p>\n\n\n\n

This way if a domain controller were to fail, the only resources that would be unavailable are the domain-bound resources. Fortunately, all other resources that make work happen (SAML apps, LDAPS connected file shares, RADIUS Wi-Fi<\/a>, Google Workspace, M365, and more) would still be available for employees to access. Authentication would be managed by JumpCloud while user credentials are in sync with the AD domain and AD serving as the identity provider (IdP).<\/p>\n\n\n\n

If a restore is possible in this scenario, the admin could go through Active Directory\u2019s restore process to get the domain back online while their users continue using JumpCloud-bound applications and resources. If there was no restore available or if it was full hardware failure, it might be beneficial to migrate entirely from Active Directory to JumpCloud. JumpCloud has methodologies to manage systems, users, and security policies similar to Active Directory. (See how JumpCloud can help migrate users from Active Directory<\/a>.)<\/p>\n\n\n\n

You could consider repurposing the server to be a local DHCP, DNS, or NTFS file share for your company if your domain controller becomes unrecoverable but the hardware remains intact. This way, you can maintain the server you already have in your environment and repurpose it for other roles and tasks that your company would need without having to look at additional capex or opex costs. JumpCloud can also help manage this repurposed Windows server with its system agent so you can remotely manage users and policies with ease.<\/p>\n\n\n\n

How Can JumpCloud Save the Day When an AD Rebuild Isn\u2019t Possible?<\/h2>\n\n\n\n

JumpCloud can get your business directory and security needs back up and running in a few different ways if a disaster scenario occurs and a rebuild isn\u2019t possible for your domain controller. This section explores JumpCloud\u2019s benefits in hybrid and domainless configurations.<\/p>\n\n\n\n

With JumpCloud\u2019s Active Directory Integration<\/h3>\n\n\n\n

If you\u2019re running a domain controller while also running JumpCloud\u2019s ADI, your users are exported to JumpCloud along with their passwords bisynchronously. This means that your users\u2019 passwords can be changed in either AD or in JumpCloud and will be propagated to the other directory when both JumpCloud\u2019s import and sync agents are configured. <\/p>\n\n\n\n

If a critical failure occurs on the domain controller where a rebuild or restore isn\u2019t possible, you may want to consider moving from this hybrid configuration entirely into JumpCloud as your primary directory.<\/p>\n\n\n\n

Your first step would be to leverage JumpCloud\u2019s Active Directory Migration Utility (ADMU)<\/a> to help migrate your domain users and domain-bound systems to JumpCloud-managed systems and local users on the Windows systems.<\/p>\n\n\n\n

Additionally, you could take a few other steps to help transition the JumpCloud users in your tenant from AD-managed to JumpCloud-managed with the following commands outlined in JumpCloud\u2019s public GitHub Wiki<\/a>.<\/p>\n\n\n\n

To leverage the commands below, you first need to install the JumpCloud PowerShell Module<\/a>, outlined below: <\/p>\n\n\n\n

\n

Install-Module JumpCloud -Scope CurrentUser<\/p>\n<\/div><\/div>\n\n\n\n

You can then connect to your JumpCloud tenant using the JumpCloud PowerShell Module with the following command:<\/p>\n\n\n\n

\n

Connect-JCOnline<\/p>\n<\/div><\/div>\n\n\n\n

Use three copy-paste commands to leverage JumpCloud\u2019s PowerShell Module<\/a>:<\/p>\n\n\n\n

Setting a singular user from AD-managed to JumpCloud-managed: <\/p>\n\n\n\n

\n

Set-JCUser -Username bobby.boy -externally_managed $false<\/p>\n<\/div><\/div>\n\n\n\n

This releases user \u2018bobby.boy\u2019 from AD Import or Sync so the user account can be fully managed by JumpCloud.<\/p>\n\n\n\n

\n

Get-JCUserGroupMember -GroupName Dev | Set-JCUser -externally_managed $false<\/p>\n<\/div><\/div>\n\n\n\n

This releases all users in the JumpCloud user group \u2018Dev\u2019 from AD Bridge so their user accounts can be fully managed by JumpCloud.<\/p>\n\n\n\n

\n

Get-JCUser | Set-JCUser -externally_managed $false<\/p>\n<\/div><\/div>\n\n\n\n

This in turn releases the binding to the Active Directory domain and the user will become a user account entirely managed by JumpCloud. <\/p>\n\n\n\n

Without JumpCloud\u2019s Active Directory Integration<\/h3>\n\n\n\n

If your AD domain controller fails or reaches an unrecoverable state without a restore possibility, JumpCloud can step in to become the primary cloud-based directory fulfilling your security and directory needs, entirely from your web browser.<\/p>\n\n\n\n

There are several ways to get users into JumpCloud:<\/p>\n\n\n\n