Update the Okta Active Directory (AD) agent

Important: To ensure that you have up-to-date functionality and get optimum performance from your Okta AD agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.(s), we strongly recommend that you download and install the latest version of the agent on your designated domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https). server(s). If you are running multiple Okta AD agent, make sure that all of them are the same version. Running different versions within a domain can cause all agents in that domain to function at the level of the oldest agent. This does not affect other domains.

When you uninstall and reinstall your Okta AD agent, you must decide whether you also want to remove the old Okta API token from your system. If you are performing an upgrade, you are not required to remove the old token. To remove the API token, you must delete the Okta AD agent folder and deactivate and remove your old agent.

Note: To avoid down time if you intend to continue using an AD agent, you must have at least two agents running before you uninstall one of them. For more information, see Install multiple Okta Active Directory (AD) agents To configure high availability, you can install additional AD agents on separate servers or virtual machines. We recommend setting up two or more AD agents per domainA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).. Note: Installing multiple agents in close geographical proximity to your users does not enhance performance. When you have multiple agents installed, the process randomly selects which agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. it uses so user location is not a factor. In addition, setting up large numbers of agents in this manner can cause problems when the system attempts to perform status checks on their performance.Setting up a second AD agent follows the same steps as setting up your first agent. If you created the Okta service account with the first AD agent, then you are prompted to enter your password during the second agent installation.To install additional AD agents on a domainSelect Directory > Directory Integrations.Click Active Directory.Select the Settings tab. Your agents are listed in the Agent Monitors section.Click Add Agent.Run the installer as described in Install and configure the Okta Active Directory (AD) agent. You can check the status console in the AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. to make sure that the second agent was installed. A green circle next to the agent name indicates the agent is connected and healthy.AD Agent Request HandlingEach agent connects to the Okta service independently. When the service needs to communicate to AD (for example, to authenticate a user), it picks one of the available agents and sends it a task to complete. If one of the agents becomes unavailable, it is automatically removed from the queue and not given additional tasks.Agent AvailabilityAgents send periodic messages to the service. If the service does not receive a message for 120 seconds, it is marked as unavailable. After 30 days of inactivity, the API token that was assigned during the agent install will expire and you will need to re-install the agent.Domain Controller SelectionThe AD agent relies on the underlying operating system to select which domain controller to communicate with.Change the AD Agent UserSign in to the server running the AD Agent.From the Start menu, type run, then type services.msc. Locate the Okta AD Agent Service.Right click the Okta AD Agent Service and select Properties.Select the Log On tab and change the account credentials. Restart the service and verify that the agent displays as green in your Okta orgThe Okta container that represents a real-world organization..Top.

Upgrade in place

It is possible to upgrade the agent without having to uninstall it. The agent installer will automatically upgrade an existing agent.

Uninstall the Okta AD agent

  1. In Windows, select Start > Control Panel > Programs > Programs and Features.
  2. Select the Okta AD Agent, and then select Uninstall.
  3. Uninstalling your AD agent leaves the agent configuration data on your hard drive.
    • To remove the configuration data, on the agent server, go to C:\Program Files (x86)\Okta and delete the Okta AD Agent folder. Deleting this folder removes the agent configuration data and the API Token from your hard drive. The API token for the server is still valid in Okta so it is important to remove the configuration data.
    • Revoke the API token by going to the agent monitor in Okta. Deactivate and remove the uninstalled agent, which will remove the API token.

Reinstall the Okta AD agent

Installing the AD agent does not overwrite the configuration data in the Okta AD Agent folder. If you want to reinstall and create a new API token, make sure you delete the Okta AD Agent folder (as described above) before you reinstall the AD agent. Then perform the following steps to reinstall your AD agent and deactivate and remove the old AD agent in Okta:

  1. Perform the AD agent installation procedure described in STEP 1: Install the Active Directory agent on the host server.
  2. Select Directory > Directory Integrations.
  3. Click Active Directory.
  4. In the Settings tab, your agents are listed in the Agent Monitors section. Confirm that your reinstalled AD agent is connected to Okta and appears in the list. You should always make sure to have at least one AD agent online.

If you are performing an upgrade or reinstall and you do not want to revoke the Okta API token of the old AD agent, you are finished. Otherwise, proceed to the next step.

  1. Under Agent Monitors, select the Deactivate link for the old AD agent and then click Ok to confirm. Deactivating the agent revokes its API token.
  2. Click the Remove link for the old AD agent and then click Ok to confirm.
Top