AD Agent and multiple AD forests Skip to main content
https://support.okta.com/help/answers?id=906f0000000i0teiak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
dale newhartdale newhart 

AD Agent and multiple AD forests

Documentation states a single AD Agent can support multiple AD domains.   Is there a theoretical limit on the number?  Can a single AD Agent support multiple AD forests? 
Thanks in advance.
Best Answer chosen by Niki (Okta, Inc.) 
Jim KnutsonJim Knutson (Okta, Inc.)
Hello Dale,
Yes, You can do this, I have seen many  domains on a single agent, I am not aware of a limit. here is theguide, see the section on " Registering Multiple Domains From One AD Agent " 
https://support.okta.com/help/articles/Knowledge_Article/28774118-Installing-and-Configuring-the-Active-Directory-Agent#RegMultDomainsFromOneADAgent
 

All Answers

Jim KnutsonJim Knutson (Okta, Inc.)
Hello Dale,
Yes, You can do this, I have seen many  domains on a single agent, I am not aware of a limit. here is theguide, see the section on " Registering Multiple Domains From One AD Agent " 
https://support.okta.com/help/articles/Knowledge_Article/28774118-Installing-and-Configuring-the-Active-Directory-Agent#RegMultDomainsFromOneADAgent
 
This was selected as the best answer
dale newhartdale newhart
Thanks Jim.   Does that include multiple forests?   Is there a domain trust requirement? ie, if the server running the agent is a domain member of domain A in forest A, can the agent support adding a untrusted domain or forest?  Will the AD Agent Management Utility prompt for credentials for the untrusted domian/forest?
James FloresJames Flores (Okta, Inc.)
If your second domain is in an untrusted forest (essential has no logical tie to your domain), you could put an AD agent on that domain and it would show as a second AD integration in your Okta tenant. Users of that domain would del auth to that domain. 
Greg HowleyGreg Howley
Question further to James' response:  We are doing exactly what you describe, a separate agent in an untrusted AD Forest, reporting back o our Okta tenant.  During the installation, I need a couple of accounts: an account with Local Admin on the server the agent is being installed on (no problem, assume it is a Windows admin at our business partner) and an Okta Admin account.  I ran through the installation scenario using a test domain and was required to use my own admin account when the agent made the initial connection out.  Since I don't have any access to the partner domain, and the partner users don't exist in Okta yet, how do I meet the second requirement?
 
Greg HowleyGreg Howley
Also, how do i keep IWA running for my current users?  I was testing this and the new agent caused IWA to go offline, so users weren't getting a true SSO experience.