Install multiple Okta Active Directory (AD) agents
To configure high availability, you can install additional AD agents on separate servers or virtual machines. We recommend setting up two or more AD agents per domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https)..
Note: Installing multiple agents in close geographical proximity to your usersIn Okta literature, we generally refer to "users" as the people who serve as Okta administrators. When we refer to "end users" we are generally referring to the people who the administrators serve. That is, those who use Okta chiclets to access their apps, but have no administrative control. does not enhance performance. When you have multiple agents installed, the process randomly selects which agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. it uses so user location is not a factor. In addition, setting up large numbers of agents in this manner can cause problems when the system attempts to perform status checks on their performance.
Setting up a second AD agent follows the same steps as setting up your first agent. If you created the Okta service account with the first AD agent, then you are prompted to enter your password during the second agent installation.
To install additional AD agents on a domain
- Select Directory > Directory Integrations.
- Click Active Directory.
- Select the Settings tab. Your agents are listed in the Agent Monitors section.
- Click Add Agent.
- Run the installer as described in Install and configure the Okta Active Directory (AD) agent.
AD Agent Request Handling
Each agent connects to the Okta service independently. When the service needs to communicate to AD (for example, to authenticate a user), it picks one of the available agents and sends it a task to complete. If one of the agents becomes unavailable, it is automatically removed from the queue and not given additional tasks.
Agents send periodic messages to the service. If the service does not receive a message for 120 seconds, it is marked as unavailable. After 30 days of inactivity, the API token that was assigned during the agent install will expire and you will need to re-install the agent.
Domain Controller Selection
The AD agent relies on the underlying operating system to select which domain controller to communicate with.
Change the AD Agent User
- Sign in to the server running the AD Agent.
- From the Start menu, type run, then type services.msc.
- Locate the Okta AD Agent Service.
- Right click the Okta AD Agent Service and select Properties.
- Select the Log On tab and change the account credentials.
- Restart the service and verify that the agent displays as green in your Okta orgThe Okta container that represents a real-world organization..