Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fred339
Contributor

Active Directory Connectors and Connector Objects

Fortigate 80F 6.4.10 single domain / 3 subnets / one DC per subnet.

We have Security Fabric / External Connectors / AD Connector set up with 3 AD connectors, one for each DC.

I see that there are Connector Objects for each AD Connector - we have made the all the same.  So, that's a lot of connector objects it might seem.  

We want to have redundancy, thus 3 DCs.  So, it seems consistent for each AD connector to have all the Connector Objects.  

Is that good practice?  Or should only one AD Connector be populated with Connector Objects?

 

Also, we have added each and every AD User and we have added an AD Group with all the same users.  

This seems appropriate.  Is it?

In one AD Connector, we are unable to add those AD Groups - get an error that there are too many.....

Thus this question.

Fred Marshall
2 Solutions
distillednetwork

@fred339 I believe @aahmadzada is saying to avoid using the "Poll Active Directory Server" connector in the foritgate and instead use the "FSSO Agent on Windows AD" connector

connectors.png

View solution in original post

distillednetwork

It can work that way but in larger environments and multiple dcs it can add an increased load on the domain controller or could cause you to reboot the domain controller for updates. 

In general Microsoft recommends to not run any other applications or services on a domain controller. 

View solution in original post

15 REPLIES 15
fred339

@distillednetwork Thank you!!  Well, that's what I'm doing so I guess at least that part has been focused.

Fred Marshall
fred339

@distillednetwork 

Thank you!  Very helpful to get the terminology straightened out!

I'm not grasping all of this yet.  I have DC Agents on all the DCs.
I have FSSO connectors on the Fortigate.

I have an FSSO Agent installed on all of the DCs but, it appears, am only really using one of them.

Are you saying that to use DC Agent Mode, one has to have a separate Windows Server to run FSSO Agent?

It seems to be working....

Fred Marshall
aahmadzada

That is exactly what I meant!
Thanks @distillednetwork 

Ahmad
fred339
Contributor

I'm still a bit worried as our configuration / architecture isn't what was advised.

Our collector is running on one of the DCs.  Why is that not advisable?  It seems to be working fine.

Fred Marshall
distillednetwork

It can work that way but in larger environments and multiple dcs it can add an increased load on the domain controller or could cause you to reboot the domain controller for updates. 

In general Microsoft recommends to not run any other applications or services on a domain controller. 

fred339
Contributor

OK - thanks!

Fred Marshall