Jamf Nation Community

I am using JSS Built-in CA for enrollment, and we are using local user account on end point.  Still we need AD-CS connector? 

That depends on if you need to install certificates from your organization's CA. Some examples for needing that would be certificates needed for 802.1x Wi-Fi or VPN authentication.

Make sense, and does AD-CS runs on DMZ? I mean as I am on Jamf cloud so how it will speak to my cloud Jamf?

AD CS Connector is designed to communicate with an on-prem AD system, so yes it would need to live in your DMZ for that to work.

If any organization uses JIM server in that case AD-CS will work properly? 

A JIM instance and an AD CS Connector instance can be run on the same server, but they are separate services and one does not require the other to function. 

So only for one certificate(AD certificate) we are integrating AD-CS connector with Jamf or do we have different purpose? If it is only one cert then why we cant push it through a config profile and renew it before expiration?

BTW I cant see AD-CS here Settings->Global->PKI certificates->Certificate Authorities and clicking the View button for it. Only showing other apart from Jamf Pro Built-in CA

the AD-CS connector has to be in an accessible network segment, DMZ or likewise.  The Connector speaks to your ADCS server on your internal network and acts as a proxy directly handing certificates to Jamf Pro, in the cloud.  Jamf Pro then relays that cert to the device(in the typical setup).  When you setup the ADCS Connector it will ask for certain information.
https://learn.jamf.com/bundle/technical-paper-integrating-ad-cs-current/page/Integrating_with_Active...

Ok, so my next question is if I go to Settings/PKI Certificate/Certificate authorities then why we see so many certificates under Jamf Pro Built-in CA and with good number for Other also, from where all these certs are coming?

Settings->Global->PKI certificates->Certificate Authorities here I can see Jamf Pro Built-in CA and Other, no name of AD-CS. If I go to Computers/configuration Profiles/Certificate and click "Select Certificate option" no such name of AD-CS. Any idea on this?

That would indicate you do not have an AD CS Connector properly configured to communicate with your Jamf Pro instance.

JAMFs logging for the AC CS Connector is minimal at best. I recommend going to the Windows Server and looking over the API logs to get an idea of what is going on. The default log path is in C:\inetpub\Logs\LogFiles\, but you can check IIS to see where the files are.

The AD CS Connector sets up with a local account by default, and you have to change the configuration to use a domain account. If the local account does not have access to request certificates from the template on your AD CS it will fail. 

Ok, so my next question is if I go to Settings/PKI Certificate/Certificate authorities then why we see so many certificates under Jamf Pro Built-in CA and with good number for Other also, from where all these certs are coming?