FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193419


This article provides some explanation around the behaviour of the FSSO collector agent, DC agent and RODC.  It addresses the question of whether it is useful to instal the  FSSO collector Agent or DC agent on RODC



On RODC you do not have logon events, it is usually used for cached users.  FSSO collects new logon events, but with RODC there should not be any.

When a client logs on or joins the network, it must be able to locate a domain controller. The client sends a DNS Lookup query to DNS to find domain controllers, preferably in the client's own subnet. Therefore, clients find a domain controller by querying DNS for a record of the form: _LDAP._TCP.dc._msdcs.domainname

After the client locates a domain controller, it establishes communication by using LDAP to gain access to Active Directory.   As part of that negotiation, the domain controller identifies which site the client is in based on the IP subnet of that client.

If the client is communicating with a domain controller that is not in the closest (most optimal) site, the domain controller returns the name of the client's site.  If the client has already tried to find domain controllers in that site (for example, when the client sends a DNS Lookup query to DNS to find domain controllers in the client's subnet), the client uses the domain controller that is not optimal.

Otherwise, the client performs a site-specific DNS lookup again with the new optimal site name.  The domain controller uses some of the directory service information for identifying sites and subnets.

After the client locates a domain controller, the domain controller entry is cached.

If the domain controller is not in the optimal site, the client flushes the cache after fifteen minutes and discards the cache entry.  It then attempts to find an optimal domain controller in the same site as the client.

After the client has established a communications path to the domain controller, it can establish the logon and authentication credentials and, if necessary for Windows-based computers, set up a secure channel.  The client then is ready to perform normal queries and search for information against the directory.

The client establishes an LDAP connection to a domain controller to log on.

The logon process uses Security Accounts Manager.  Because the communications path uses the LDAP interface and the client is authenticated by a domain controller, the client account is verified and passed through Security Accounts Manager to the directory service agent, then to the database layer and finally to the database in the Extensible Storage engine (ESE).

Once a user performs a logon from a PC to a Domain and the DC is located successfully, an event ID is generated in Windows Security Event logs of that DC.  When Collector Agent detects such logon, depending on method chosen, it will process/pass this to the FortiGate as long as all requirements are matched: correct event ID, auditing enabled, DC monitored by Collector Agent , existing user...

The Database in RODC is read only, whereas Domain controller have a read/write copy of database.  RODC takes replication from Writable domain cotroller and it never replicate to other domain controller whereas writeable domain controller can replicate with other writable domain controller.