Technical Tip: How to remove a Domain Controller which is not used/does not exist anymore from the SSO Domains list in the FortiAuthenticator

If one or more Domain Controllers are not used anymore or do not exist but the Domain Controller is not reachable, it will still be visible in FortiAuthenticator -> Monitor -> SSO -> Domains with red cross.

This picture shows one example of this behavior.

The DC-01.fortilab.com with IP address 192.168.189.5 should be removed from the list.

First thing to check is:

• Connect via PuTTY and SSH to the FortiAuthenticator.
• Check the output with the nslookup command. If it is still listed, the removal was not done correctly and the DNS should be checked again.
• If the output is empty like in the picture below, proceed with the steps below.

execute nslookup fortilab.com

• From the nslookup output, the only IP Addresses which are visible are: 192.168.189.45 and 198.168.189.46.
• IP Address 192.168.189.5 is removed.
• To remove the Domain Controller from FortiAuthenticator -> Monitor -> SSO -> Domains, follow next steps:
• Go to FortiAuthenticator/debug -> Single Sign On -> Domain Manager -> Select Rebuild SSO domains.
  
  

• The Domain Controller from FortiAuthenticator -> Monitor -> SSO -> Domains should be removed.

Another option is to enable the option Restrict auto-discovered domain controllers to configured Windows event log sources and remote LDAP servers in Fortinet SSO -> Settings-> Methods section. It should be enabled in this case to restrict auto-discovery to only defined servers. That should update the SSO domain list. If more Domain Controllers are needed, it should be added in the Windows Event Log Sources section.