Integration with existing Active Directory forests and domains

When planning your Active DirectoryActive Directory (AD) is a directory service that Microsoft developed for the Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. (AD) integration, review your existing AD implementation and answer these questions:

  • How many domains do you have?
  • What kind of trusts are in place?
  • What forests do you have?
  • Which OUs do you plan to import into Okta? 
  • Are there users or resources in those OUs that you do not need to import into Okta?

The Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. supports communication across domains, but not across forests.

An Okta AD agent must be installed in each forest and each domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). in a forest where there are users you intend to import into Okta. While is it possible to register multiple domains to a single agent, be aware that if the agent becomes unavailable, all domains are affected.

Okta AD agents do not need to be installed in resource forests because there are typically no users in the forest, just network resources.

Installing the Okta AD agent requires the use of an AD service account. It is important that the service account has permissions in all domains in that forest to read and access users in all domains to which the agent connects. For details about the service accounts required to install the agent, see Active Directory integration prerequisites.