The Okta AD Agent may be reported as offline, and agent operations will fail with the errors below in agent logs when the agent service account is placed in the built-in Protected Users group within Active Directory.

An Active Directory Domain Controller for the target domain could not be contacted. Reason: Unable to find DC in the domain.
The username or password is incorrect 

• Directories
• Active Directory (AD)
• AD Agent

Per Microsoft documentation, service accounts should not be placed in the Protected Users group. The Okta AD Agent service will not start with the errors below when the service account is in this group.

2023/11/11 23:28:16.990+01:00 Error -- SERVERNAME(1) -- An Active Directory Domain Controller for the target domain could not be contacted. Reason: Unable to find DC in the domain
2023/11/11 23:28:17.099+01:00 Info -- SERVERNAME   at Okta.DirectoryServices.Protocols.SDSPWrapper.GetDefaultDomainController(ADSITarget target)
   at Okta.DirectoryServices.Protocols.SDSPWrapper.Connect(ADSITarget target, String& server)
   at Okta.DirectoryServices.Protocols.SDSPWrapper.Connect(ADSITarget target)
   at Okta.DirectoryServices.ActiveDirectoryAdapter.PingDomain()
System.Exception received with message Unable to find DC in the domain Source=OktaAgentService InnerException=System.Security.Authentication.AuthenticationException: The user name or password is incorrect.
 ---> System.DirectoryServices.DirectoryServicesCOMException: The user name or password is incorrect.