Domain controllers and Okta AD Authentication Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Service NowService Now 

Domain controllers and Okta AD Authentication

Is there documentation for me to determine what domain controller Okta leverages to authenicate users through AD? 
William GregorianWilliam Gregorian
You would determine that when installing the Okta AD Agent on the remote domain controller(s).
Service NowService Now
The Okta AD agent isn't installed on domain controllers, per Okta recommendation.  They are installed on seperate VMs.  I went through my screen shots of the install, and didn't see where I gave the agent a DC name, just the name of the domain.   Anyone else have any thoughts?  I tried turning verbose logging on the AD Agent but didn't see the info I was looking for.
Srinivasa Gayam - ADMSrinivasa Gayam - ADM
They find the nearest DC using DC locator process.
Okta AdminOkta Admin
The host server on which the Okta AD agent is installed, must be a member of the same Windows domain of which your Active Directory users are members. During installation the setup will detect the Domain name and Integrated with that AD. Duriing Del Auth the same AD Domain is used for authenticating users.
Service NowService Now
Does anyone know how I verify which DC was leveraged for authentication?
Okta AdminOkta Admin
I dont believe there is a log that directly tells you that.  If you are looking for a specific case for a user, you would probably have to take your okta ad agent log, find the entry for that time and user and then compare with your DC logs for user login, then that could tell you which they used.  Its a lot of manual work.  I dont see anywhere in an logs that tells you directly though.
Jeff SwiftJeff Swift
What is the behavior after your manually stop the Okta agent on a the server for a DR test?  When you bring the service backup does it resume bing the primary?  If not, how do we 'switch back' the server we want to be the primary?  We confirmed the IWA agent does have the correct primary.