Technical Tip: How to join FortiAuthenticator to multiple domains
| Description | This article describes the steps to join FortiAuthenticator to multiple domains. |
| Scope | FortiAuthenticator. |
| Solution | Prerequisites: FortiAuthenticator must already be joined to at least one Windows Domain Controller. Refers to: Technical Tip: Joining FortiAuthenticator in the active directory as a machine entity.
Topology:
Step 1.
In this example, FortiAuthenticator is using the first Domain Controller Production DNS Server DC (10.10.10.1) as its DNS server, which hosts the domain 'fortilab.local'.
FortiAuthenticator must be joined to the first Domain, in this example 'fortilab.local'.
Step 2.
The requirement is to join FortiAuthenticator to the new Domain 'fortitest.local', which is hosted in another Domain Controller (10.10.30.1).
For this configuration to work, the DNS server (10.10.10.1) should include the DNS records of the 'fortitest.local' Domain Controller (10.10.30.1).
The easy way to do it is to add a DNS Zone Transfer on the Second Domain Controller (fortitest.local), pointing to the IP of the first Domain Controller 10.10.10.1 (fortilab.local).
On the Domain Controller of 'fortilab.local', in DNS Manager, create a new zone 'Stub Zone' to create a copy of the DNS records of Domain 'fortitest.local', then the DNS records of 'fortitest.local' should be populated on Domain Controller 10.10.10.1 (fortilab.local).
For detailed information about Transfer Zones and Stub Zones, visit the Microsfot site: Add-DnsServerStubZone.
Step 3. Configure FortiAuthenticator to join 'fortitest.local'.
Results. After some minutes, FortiAuthenticator will join the new Domain.
FortiAuthenticator must be joined to a Domain Controller to perform 'Windows AD domain authentication', especially used in 802.1X, IPsec IKEv2, or Remote LDAP password change.
Related articles: Technical Tip: Joining FortiAuthenticator in the active directory as a machine entity |
