If either the EMS server or the AD server is Windows Server 2022 OS, EMS may fail to sync correctly with the LDAP server.

This is because, in Windows Server 2022, TLS 1.3 is used by default for LDAP connection. EMS version earlier than v7.2.4 does not support TLS 1.3 connection.

While EMS 7.2.3 and earlier may not show an error in GUI when performing a sync, enable Debug level logging in EMS.

1. Go to EMS -> System Settings -> Log Settings -> Log level -> set to Debug -> Save.
2. Perform a manual AD sync in EMS under Endpoints -> Manage Domains -> (select) -> Sync.
3. On the EMS server, navigate to C:\Program Files (x86)\Fortinet\FortiClientEMS\logs, and open the latest addaemonworker_yyyy-mm-dd.log.
4. In the log, look for Error code 82 or 85:

Error code: 82
Server error message: :
Exception.Data contents:
Timestamp = 18/04/2024 5:28:01 AM
Exception.Data contents:
Elapsed time = 00:00:00.0197908
Aggregate exception message: One or more errors occurred.. Contents:
System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.

Error code: 85
Server error message: :
Exception.Data contents:
Timestamp = 18/04/2024 5:32:09 AM
ConnectivityInfo = Could't determine which server to contact, so connectivity could not be tested.

 It is likely due to this TLS 1.3 issue.

The solution is to upgrade EMS to version v7.2.4. EMS v7.2.4 supports TLS 1.3 LDAP connection.