I would like to know the best practise for installation of Okta AD Sync agents when setting up a additional AD sites with a domain controller in each site.

By having two or more sites, we will be able to install an Okta AD Sync agent at multiple sites, therefore if one site's internet connection goes down, we will still be able update group memberships and provision new users at the second site, and sync these to Okta. This seems like an ideal set up for business continuity.

However, during business as usual operation, Okta AD Sync agents are active/active which causes a problem. When provisioning new users, there will be normal replication latency between AD Sites of a minimum of 15 minutes. If I provision a new user at site A, what should I do to ensure that when I force an incremental Okta sync from the dashboard, it will will pick up the changes I've made at site A, rather than syncing with site B or C (which will not have seen the changes yet).

The options I can see are -

1) Don't use Okta AD Agents at multiple sites - not great because that removes the redundancy

2) Force AD to replicate between domain controllers after making changes - not great because we don't want some lower level staff to have access to or mess with AD replication

3) Manually wait for AD to sync before syncing Okta - not great because some requests are time sensitive, plus it adds overhead to the support team

4) Somehow manually set the order in which Okta will query AD Sync agents - this would be best but I can't see how to do it

5) Something else I haven't thought of?

I would really like to understand what best practise is here, when dealing with multiple sites. How does a large enterprise manage this scenario?

Thanks in advance.