Okta Active Directory provisioning and password changes fail when the Okta Active Directory (AD) Agent connects to a Read-Only Domain Controller (RODC). Ensure that RODCs do not accept LDAP requests in the environment to prevent these failures. The Okta AD Agent attempts to perform provisioning or password change tasks by making an LDAP call to the directory and interacting with the first domain controller that responds. The task fails if the responding controller is read-only.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Directories
• Active Directory (AD)
• Read-Only Domain Controller (RODC)
• Provisioning
• Password Changes

RODCs cannot modify any AD object. When the Okta AD Agent performs a provisioning or password change task, the Okta AD Agent initiates an LDAP call to the directory and interacts with the first domain controller that responds. The attempt fails if the responding server is an RODC.

What steps prevent Read-Only Domain Controllers from causing Okta provisioning errors?

• Modify the network or directory settings to ensure that RODCs do not accept LDAP requests from the Okta AD Agent.

Related References

• Read-Only DCs and the Active Directory Schema