Integration with existing Active Directory forests and domains
When planning your Active Directory (AD) integration, review your existing AD implementation and answer these questions:
- How many domains do you have?
- What kind of trusts are in place?
- What forests do you have?
- Which organizational units (OUs) do you plan to import into Okta?
- Are there users or resources in those OUs that you don't need to import into Okta?
The Okta AD agent supports communication across domains, but not across forests.
An Okta AD agent must be installed in each forest and each domain in a forest where there are users you intend to import into Okta. While is it possible to register multiple domains to a single agent, all domains are affected if the agent becomes unavailable.
It isn't a requirement to install an Okta AD agent in a resource forest because there are typically no users in the forest, just network resources.
Installing the Okta AD agent requires the use of an AD service account. It's important that the service account has permissions in all domains in that forest to read and access users in all domains to which the agent connects. For details about the service accounts that are required to install the agent, refer to Active Directory integration prerequisites.