Optimize the AD integration

OCA Study Notes — Optimize the AD Integration

1. AD Integration Architecture Basics

Okta AD Agent:

  • Supports cross-domain communication

  • Does NOT support cross-forest communication
    You must install an Okta AD Agent in every domain that contains users you want to import.

2. High Availability (HA)

General HA Best Practices

  • Install the Okta AD agent on multiple host servers per domain.

  • If one agent fails → another continues handling provisioning & delegated auth.

  • Never install agents on domain controllers.
    Use a member server with line-of-sight to the DC.

  • Server Core installation is preferred (minimal attack surface).

Recommended Number of Agents (per domain)

Users in Domain

Recommended # of Agents

< 30,000 users

2 agents

> 30,000 users

At least 3 agents

> 100,000 users

Work with Okta for tuning

Health Detection

  • Agent is marked unavailable after 120 seconds of missed heartbeat.

Location of Agents

  • Placing agents geographically near users does NOT improve performance (agents talk to Okta, not users directly).

3. Agent Performance Tuning

The AD agent has a config file:

OktaAgentService.exe.config

Located in the agent installation directory.

PollingThreads Setting

  • Controls number of concurrent requests between Okta and the agent.

  • Valid range: 1–10

  • Default: 2

Steps to Modify Polling Threads

  1. Open the configuration file

  2. Edit the PollingThreads value

  3. Restart agent via AD Agent Manager

  4. Open Logs/Agent.log to verify new thread count

Only modify performance parameters if you fully understand the scaling implications.

4. Agent Security Considerations

Okta Service Account Requirements

This AD domain user account runs the AD Agent service.

Member of Domain Users
Password never expires
Should NOT exist in Okta
Should NOT be used by any other service
Deny interactive login
Least privilege principle applies

Permissions Needed

Use Case

Required Permissions

Delegated authentication only

Read-only permissions

Import / JIT creation

Read-only

Provisioning from Okta → AD (write-back)

Write permissions to specific AD objects

Full write operations

Use granular write permissions (not Domain Admin!)

NEVER add Okta service account to Domain Admins (not recommended by Okta).

5. Host Server Hardening (Security Hardening)

Best practices:

  • Remove unnecessary services.

  • Disable LM, NTLM & NTLMv2 authentication acceptance.

  • Restrict network access:
    ➜ Only DCS + Jump host + Okta Privileged Access should reach the server.

  • Use Okta Privileged Access and a phishing-resistant factor for admin logins.

  • Include AD Agent service in patch management.

6. Summary

Optimizing AD Integration involves:

  • Ensuring HA (multiple agents per domain)

  • Tuning performance cautiously

  • Hardening security around:

    • Service accounts

    • Host servers

    • Least privilege

  • Maintaining consistent versioning across agents

  • Understanding when write-back permissions are required