Plan for high availability and disaster recovery

The unique requirements of your org determine how you implement high availability and disaster recovery processes. These guidelines are intended to help you determine what options are available.

The Okta AD agent doesn't perform load balancing. Traffic is directed to the first available agent.

To get started, you'll need to answer the following questions:

  • Who owns your organization's disaster recovery or high availability processes and who needs to be consulted?
  • How many data centers do you have?
    • How are they used? That is, which ones are live (hot) all the time and which ones are backups (cold)?
    • What kind of failover do you want to plan for? You can have agent redundancy, in the event an individual agent fails. Or you can plan for the failure of an entire data center (that is, all agents in that data center).
    • Are the AD domain controllers live all the time?
    • Are they actively replicated to?
    • Is there a significant latency in replication between the data centers? This can cause replication problems.

Use case

A use case is often the best way to demonstrate how high availability and a good disaster recovery plan can help your organization get the best out of its AD integration. In this use case, Example Corp has three data centers:

  • A physical data center in Atlanta that is always available.
  • An Amazon AWS data center that is always available.
  • A cold backup data center that is used for disaster recovery if the two live data centers are unavailable.

With the integration, it doesn't matter whether the data centers are physical or virtual instances. They're assigned the same significance.

If the Atlanta and AWS data centers are always available, and each instance has one or more Okta AD Agents installed, then traffic is routed to the active agents, regardless of their location.

Any Okta AD agent installed on the cold data center servers is listed as inactive in the Okta Admin Console. After 30 days of inactivity, the assigned API tokens expire. If Example Corp needs to route traffic to their cold backup data center, they'll need to reinstall the Okta AD Agents. For this reason, Okta recommends that Example Corp install the Okta AD Agents on their cold data center servers when they're needed.

To determine the number of agents Example Corp should install in each data center, they'll need to consider what their fault tolerance is and what high availability or disaster recovery scenarios they want to prepare for:

  • The Atlanta data center experiences full failure, traffic moves to the Amazon AWS data center. If Amazon AWS fails, traffic moves to the cold data center.
  • If either Atlanta or Amazon AWS fail, the cold data center is brought online.

Answering these questions can help you determine a strategy for your AD integration:

  • What is your risk tolerance?
  • Are you planning for individual agents, the machines they're installed on, or entire data centers to be unavailable?
  • How do the Okta recommendations fit with your existing high availability or disaster recovery procedures?