hpisharodi
Staff
Staff

Description


This article explains how to fix the FortiAuthenticator error: Failed to join Windows AD network: Domain Name from the FortiAuthenticator logs.

 

matanaskovic_0-1637683585921.png

 

Solution

 

Make sure Windows Active Directory Domain Authentication is enabled under Authentication -> Remote Auth. Servers -> LDAP.

 

Configure the required Windows AD Domain Controller information:

 

matanaskovic_1-1637683639003.png
 
Monitor -> Authentication -> Windows AD -> Should show Connection: joined domain, connected:
 
matanaskovic_2-1637683740185.png
 

If there are still issues with joining, check/change the following:

1) Internal dns is configured: go to System -> Networks -> DNS and set at least one internal DNS server.
2) FortiAuthenticator must be able to resolve and reach the domain to join.
3) The time/time zone is correct on the FortiAuthenticator and in sync with the DC, use the same NTP source on both if possible.
4) if there is a FortiAuthenticator computer account (or duplicates) on the DC (Active Directory Users and Computers, expand the domain, Computers), delete all of them, it will be recreated once the FortiAuthenticator joins the domain.
5) Make sure to use a domain admin account.
6) If there is a firewall between FortiAuthenticator and AD, for example a FortiGate,make sure that

the domain join ports are not blocked. The ports used with Windows AD domain authentication are TCP/88, 135, 139, and 445.

 

Now the FortiAuthenticator should be joined to the domain, check Logging, Log Access, Logs.
If none of these help and joining the domain is still not possible, raise a ticket with Support.

Related Article
https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-How-to-work-with-FortiAuthe...

 

https://docs.fortinet.com/document/fortiauthenticator/6.4.1/administration-guide/416152/policies