Technical Tip: How to collect Active Directory Connector logs from FortiClient EMS

The Active Directory (AD) Connector is used to connect FortiClient EMS to on-premise Active Directory servers, especially in cloud deployments. It enables user and group synchronization over LDAP or LDAPS without exposing the domain controller to the public internet.

To collect the AD Connector logs:

1. On the FortiClient EMS server, change the log level to debug under System Settings -> Log Settings -> Log Level: Debug.
   • This change will generate additional debug information on the AD Connector. Debug level is only active for 30 minutes.
2. Wait until the event or issue reproduces.
3. Access the Server where the AD Connector is installed.
4. Navigate to the following directory: C:\Program Files\Fortinet\FortiClientEMSADConnector\logs\.
   
   

5. Copy and compress the log files.
6. Provide the archive to Fortinet support for analysis.

In the TAC ticket, also provide the following:

7. FortiClient EMS Diagnostic Tool (EMS -> Administration -> Generate Diagnostic Logs).
8. Logs from EMS -> Administration -> Log Viewer related to the AD connector. These can be filtered by Source -> AD Service.

Each log file contains information such as:

• LDAP bind attempts and connection errors.
• Synchronization events for users and groups.
• Timestamped messages for authentication, retries, and failures.

If logs are not generated, verify that the AD Connector service is running and that the integration is active under Administration -> Authentication Servers -> Connectors in FortiClient EMS.

Related document: 

AD connector - FortiClient EMS administration guide