AWS VM Setup for Active Directory and Okta Agent Integration 

Prerequisites

• An active AWS account.

• Basic knowledge of AWS services and Windows Server.

• RDP client for remote access (option to create during setup).

• A secure AWS Key Pair for instance authentication (option to create during setup).

Step 1: Set Up Your AWS Account

1. Log in to your AWS Management Console. If you don’t have an account, sign up for AWS.

2. Ensure that your account has appropriate permissions to create resources (e.g., EC2 instances, security groups).

Step 2: Launch an EC2 Instance

1. Go to the EC2 Dashboard.

2. Click Launch Instance and configure the following:

   • AMI: Choose a Windows Server AMI with the version that supports Active Directory, such as Windows Server 2019 Base or Windows Server 2022 Base.

Note: Windows Server 2022 Base was used for this setup.

2. • Instance Type: Choose an instance type with sufficient resources (e.g., t3.medium or larger).

Note: t2.micro was used for this setup. (free tier eligible)

2. • Key Pair: Create or select a key pair to securely connect to your instance.

   • Network Settings: Ensure the instance is in a VPC (Virtual Private Cloud) with internet access and assign a public IP if necessary.

   • Storage: Allocate sufficient storage (at least 50GB is recommended for AD).

3. Launch the instance.

Step 3: Configure Security Group

1. Modify the Security Group associated with the EC2 instance:

   • Allow RDP (Port 3389) for your IP to access the VM remotely.

   • Allow required ports for Active Directory services:

     • TCP/UDP 53 (DNS)

     • TCP 389 (LDAP)

     • TCP 445 (SMB)

     • TCP 3268 (Global Catalog)

     • TCP/UDP 123 (Time Sync)

Step 4: Connect to the EC2 Instance

1. Use Remote Desktop Protocol (RDP) to connect to your instance:

   • Download the .rdp file from the AWS Console or use a Remote Desktop client.

   • Use the Administrator username and the password obtained from the EC2 instance's console.

Step 5: Installing Active Directory

1. Open Server Manager: Launch Server Manager from the Start menu.

2. Add AD DS Role:

   • Go to Manage > Add Roles and Features.

   • Choose Role-based installation.

   • Add the Active Directory Domain Services (AD DS) role.

3. Promote to Domain Controller:

   • After installation, click Promote this server to a domain controller in the notification area.

   • Create a new forest and specify a domain name (e.g., example.com).

Step 6: Configuring DNS (Optional)

1. If integrated with an external DNS (e.g., Route 53), create a delegation for your AD DNS.

2. For standalone setups, AD’s DNS will manage internal queries.

Step 7: Testing the Environment

1. Open Active Directory Users and Computers.

2. Create and manage test users, groups, and organizational units (OUs).

3. Verify DNS resolution and domain authentication.

Additional Considerations:

• Restrict security group rules to trusted IPs.

• Back up the server regularly using EC2 Snapshots.

• Monitor performance with AWS CloudWatch.

• Implement strong passwords, firewall rules, and regular updates.

Notes:

• If the server administrator account has a blank password you may be forced to set a password.

Prerequisites

1. An Okta administrator account.

2. Your AD environment (already set up as described in previous steps).

3. A Windows Server within the AD domain to host the Okta AD Agent.

4. Proactively created OUs/Users/Groups for management in AD.

5. When Downloading Okta Agent – If using IE browser, you may have to turn off IE Enhanced Security Configuration.

Note: The following steps should be performed on the server hosting your AD environment.

Step 1: Prepare Your Okta Environment

1. Log in to your Okta Admin Console.

2. Navigate to Directory > Directory Integrations.

3. Click Add Directory and select Active Directory.

4. Okta will provide a link to download the AD Agent. Keep this page open for later use.

Step 2: Download and Install the Okta AD Agent

1. From the Okta Admin Console, download the Okta Active Directory Agent installer.

2. If needed, transfer the installer to the server where the agent will be installed (preferably the AD domain controller or a server with access to the AD domain).

Step 3: Install the Okta AD Agent

1. Run the Installer:

   • Double-click the installer .exe file to start the setup wizard.

2. Follow the Installation Wizard:

   • Accept the license agreement.

   • Select the installation folder (default is fine for most setups).

   • Provide administrative credentials for the server (this allows the agent to connect to AD).

3. Enter Okta Org Details:

   • During installation, the wizard will prompt for your Okta Org URL and an activation token.

   • Copy the token from the Okta Admin Console (from the page where you downloaded the agent) and paste it into the wizard.

   • You may receive a prompt with an activation link and activation code.

   • Allow Access.

4. Complete Installation:

   • Once the setup is complete, the agent will automatically connect to your Okta organization.

Step 4: Configure Directory Integration in Okta

1. Return to the Okta Admin Console and complete the directory integration wizard:

   • Select the OUs (Organizational Units) in AD that you want Okta to sync.

   • Configure user and group synchronization settings.

2. Set up Import and Sync Schedule:

   • Choose whether imports will occur manually or on a scheduled basis.

3. Configure Password Sync (Optional):

   • Enable password sync if you want Okta to synchronize user password changes made in AD.

Step 5: Verify the Integration

1. Test synchronization by importing a user or group from AD:

   • Go to Directory > Directory Integrations > Your AD directory.

   • Click Import Now to manually trigger a sync.

   • Verify that users and groups appear in the Okta directory.

2. Test user login:

   • Log in to Okta with an AD user to verify authentication works.

   • Check whether group memberships and attributes are mapped correctly.

Secure and Optimize Considerations:

1. High Availability:

   • Install the Okta AD Agent on additional servers for redundancy.

2. Firewall Rules:

   • Ensure the server hosting the agent can communicate with Okta over the internet (TCP port 443).

3. Monitor Agent Health:

   • Check the agent status regularly in Okta Admin Console under Directory Integrations.

4. Mapping and Provisioning Rules:

   • Adjust attribute mappings in Directory > Profile Editor as needed.