Plan for high availability and disaster recovery

The unique requirements of your orgThe Okta container that represents a real-world organization. determine how you implement high availability and disaster recovery processes. These guidelines are intended to help you determine what options are available.

The Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. does not perform load balancing. Traffic is directed to the first available agent.

To get started, you'll need to answer the following questions:

Use case

A use case is often the best way to demonstrate how high availability and a good disaster recovery plan can help your organization get the best out of its AD integration. In this use case, Example Corp has three data centers:

  • A physical data center in Atlanta that is always available.
  • An Amazon AWS data center that is always available.
  • A cold backup data center that is used for disaster recovery if the two live data centers are unavailable.

With the integration, it does not matter whether the data centers are physical or virtual instances. They are assigned the same significance.

If the Atlanta and AWS data centers are always available, and each instance has one or more Okta AD agents installed, then traffic is routed to the active agents, regardless of their location.

Okta AD agents installed on the cold data center servers are listed as inactive in the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console. After 30 days of inactivity, the assigned API tokens expire. If Example Corp needs to route traffic to their cold backup data center, they'll need to re-install the Okta AD agents. For this reason, Okta recommends that Example Corp install the Okta AD agents on their cold data center servers when they are needed.

To determine the number of agents Example Corp should install in each data center, they'll need to consider what their fault tolerance is and what high availability or disaster recovery scenarios they want to prepare for:

  • The Atlanta data center experiences full failure, traffic moves to the Amazon AWS data center. If Amazon AWS fails, traffic moves to the cold data center.
  • If either Atlanta or Amazon AWS fail, the cold data center is brought online.

Answering these questions can help you determine a strategy for your AD integration:

  • What is our risk tolerance? 
  • Are you planning for individual agents, the machines they are installed on, or entire data centers to be unavailable? 
  • How do the Okta recommendations fit with your existing high availability or disaster recovery procedures?