Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
ebilcari
Staff
Staff

Created on ‎06-18-2025 01:56 AM

Article Id 396239

Technical Tip: Create an additional Winbind instance for a second domain

Description

 

This article describes the steps to create an additional Winbind instance in FortiNAC that connects to a different domain and its respective Domain Controllers. The reason why the configuration of Winbind is required in FortiNAC is explained in this article: Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks.

The same steps can be followed to configure the DNS server used by FortiNAC, in case the required DNS records are missing. In environments that have only a single domain, the DNS server configured in FortiNAC is often one of the domain controllers, which typically has all the required DNS records preconfigured by default.

 

Note:

If there are multiple Domain Controllers but they are used for the same domain, these steps are not required; all the DCs should be automatically discovered and used in rotation.

 

Scope

 

FortiNAC.

 

Solution

 

The DNS server that is used by FortiNAC is configured in the 'Config Wizard' during initialization. This configuration can be later changed by going in System -> Config Wizard -> Basic Network -> DNS. A reboot of the appliance is required to apply the changes.

 

DNS configuration.PNG

 

Due to the nature of Winbind and the compatibility requirements by Microsoft, some specific DNS records need to be configured for the Winbind instance to successfully join the domain. More details are shown in this section of the Microsoft server website: How to verify that SRV DNS records have been created for a domain controller.

 

FNAC - 2 DC.png

 

In this example, FortiNAC is using the first Domain Controller as its DNS server, which also hosts the domain 'eb.eu'. The Winbind instance is already created and working for this domain without any extra configuration on the DNS server. The requirement is to add a second Winbind instance pointing to the domain 'eb.lab', which is hosted in another Domain Controller. For this configuration to work, the DNS server (10.1.1.10) should include at least the following DNS records pointing to the second domain and Domain Controller (10.6.1.10):

 

DNS records.PNG

 

And a normal DNS A record for the second Domain Controller itself:

 

dc02.PNG

Checks done from FortiNAC CLI:

 

execute enter-shell

 

host -t SRV _kerberos._tcp.dc._msdcs.eb.lab
_kerberos._tcp.dc._msdcs.eb.lab has SRV record 0 100 88 dc02.eb.lab.
 
host -t SRV _ldap._tcp.dc._msdcs.eb.lab
_ldap._tcp.dc._msdcs.eb.lab has SRV record 0 100 389 dc02.eb.lab.
 
ping dc02.eb.lab
 
The DNS traffic and the query responses can also be checked in a packet capture through another FortiNAC CLI session:
 
execute tcpdump port 53 -v
17:47:33.879717 IP (tos 0x0, ttl 64, id 20045, offset 0, flags [none], proto UDP (17), length 77)
    fnac76.eb.eu.58211 > DC01.eb.eu.domain: 37142+ SRV? _kerberos._tcp.dc._msdcs.eb.lab. (49)
17:47:33.902416 IP (tos 0x0, ttl 126, id 21362, offset 0, flags [none], proto UDP (17), length 124)
    DC01.eb.eu.domain > fnac76.eb.eu.58211: 37142* 1/0/1 _kerberos._tcp.dc._msdcs.eb.lab. SRV dc02.eb.lab.:88 0 100 (96)
 
17:48:02.445248 IP (tos 0x0, ttl 64, id 50231, offset 0, flags [none], proto UDP (17), length 73)
    fnac76.eb.eu.36158 > DC01.eb.eu.domain: 44870+ SRV? _ldap._tcp.dc._msdcs.eb.lab. (45)
17:48:02.467963 IP (tos 0x0, ttl 126, id 21364, offset 0, flags [none], proto UDP (17), length 120)
    DC01.eb.eu.domain > fnac76.eb.eu.36158: 44870* 1/0/1 _ldap._tcp.dc._msdcs.eb.lab. SRV dc02.eb.lab.:389 0 100 (92)
 
17:50:55.966874 IP (tos 0x0, ttl 64, id 4941, offset 0, flags [DF], proto UDP (17), length 57)
    fnac76.eb.eu.38145 > DC01.eb.eu.domain: 51898+ A? dc02.eb.lab. (29)
17:50:55.989501 IP (tos 0x0, ttl 126, id 21550, offset 0, flags [none], proto UDP (17), length 73)
    DC01.eb.eu.domain > fnac76.eb.eu.38145: 51898* 1/0/0 dc02.eb.lab. A 10.6.1.10 (45)
 
Winbind configuration and status checks in the FortiNAC GUI:
 
winbind 2nd.PNG
 
The configuration can be considered complete after a RADIUS request is accepted for an MSCHAPv2 authentication request with a user from the second domain. The details can be seen in the RADIUS 'Service Log':
 
(2) Received Access-Request Id 0 from 10.6.2.1:22006 to 10.6.2.61:1812 length 142
(2)   NAS-Identifier = "FGVM-DR"
(2)   User-Name = "gimi@eb.lab"
(2)   MS-CHAP2-Response = 0x8c00fd4c5db2f8fc47c31ab98fd842ac66f90000000000000000406b95ebc1f4e611dfe09176981e46617aa4ccb452fc3dc1
(2)   MS-CHAP-Challenge = 0x2c4955011b178ad0a03f5cffbb488c1e
(2)   Message-Authenticator = 0x327601c040b0b7903a7e2a86cb9c4a2f
...
(2) Login OK: [gimi@eb.lab] (from client 10.6.2.1 port 0)
(2) Sent Access-Accept Id 0 from 10.6.2.61:1812 to 10.6.2.1:22006 length 197
(2)   Message-Authenticator = 0x00
(2)   MS-CHAP2-Success = 0x8c533d39443641433942313038373032463333413232414631453032323735313644314234384342313442
(2)   MS-MPPE-Recv-Key = 0x2a5e2092bbd50cef012d4d0df76ef76d
(2)   MS-MPPE-Send-Key = 0x8fe2579c97c7fc9600a9911ed5b34764
(2)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(2)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(2) Finished request

 

Related articles:

Technical Tip: MSCHAPv2 authentication, join FortiNAC in domain and checks

Troubleshooting Tip: Local Winbind configuration fails to start

177
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.