This topic provides the prerequisites for Active Directory (AD) integrations. Show
HardwareTo install the Okta AD Agent, one or more Windows servers are required. These servers are called host servers. These host servers must be on at all times and have a continuous connection to the internet so that they can communicate with Okta.
Operating system and softwareDownload and install the latest version of the Okta AD Agent on your host servers to make sure that you have the most current features and functionality and get optimum performance. If you are running multiple Okta AD Agents, make sure they are all the same version. Running different versions within a domain can cause all agents in that domain to function at the level of the oldest agent. This does not affect other domains.
You also need to determine:
Required accounts
Create an Okta admin accountFor installation, you need an Okta account, not an AD account, to connect the AD agent to Okta. To create this account, you must be a super admin. Okta recommends that you use a dedicated Okta admin account for the AD agent. If you use an individual's super admin account to install and run the AD agent, and that individual later has their admin privileges lowered, revoked, or deactivated, the Okta AD integration stops working. If this occurs, you need to uninstall the existing AD agent and reinstall the AD agent with a new super admin account to reconnect Okta to AD.
Okta recommends that the Okta AD Agent admin accounts are Okta-sourced and not AD-sourced. This does not affect existing AD-sourced administrators. It is recommended that you disconnect your admins from AD (select Directory > People > More Actions > Disconnect from AD, select the admin users who you want to disconnect, and then click Disconnect Selected). AD service account to run the Okta AD Agent installerOkta recommends you use the same AD service account to install all of your agents. During agent installation, you are asked if you want the installer create the Okta service account. You need one of the following based on your choice:
Okta service account to run Okta AD Agent serviceThe Okta service account can be created by the installer. By default it is called OktaService. If you choose to use an existing domain user account, be sure to set the account password to never expire. Managed service accounts are supported by Okta AD Agent version 3.6.0 and later. During installation, you are asked if you want to let the installer create the Okta service account. To do so, you must have the following permissions:
With either option, the installer grants logon as a service to the domain user you select. Okta service account permissionsThe AD agent runs under the Okta account you specified (either the Oktaservice account the installer creates or the domain user you select during the agent install). Depending on the configuration of your integration, the agent performs the following actions:
Configure delegation for the Okta Service accountOn your Windows server you need to configure delegation to Okta service account in your AD domain based on your needs.
What is installed with AD DS server role?AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. A server that is running AD DS is called a domain controller.
What are the services provided in the AD DS?Active Directory Domain Services (AD DS) are the core functions in Active Directory that manage users and computers and allow sysadmins to organize the data into logical hierarchies. AD DS provides for security certificates, Single Sign-On (SSO), LDAP, and rights management.
What are the requirements for Active Directory installation?What are the requirements for installing AD on a new server?. Preinstalled Windows Server 2008 or Windows Server 2008 R2.. Administrative rights on server.. Domain Name System (DNS) infrastructure is in place. ... . A NIC.. Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway). What services are required for Active Directory?For Active Directory to function correctly, several services must be operational. Those services include the File Replication Service (FRS), the Intersite Messaging Service (IsmServ), the Kerberos Key Distribution Center (KDC), the NetLogon service (NetLogon), and the Windows Time (W32Time) service.
|