But in any examples, handbooks we are aware....there is this part of the config
config user krb-keytab edit "http_service" set principal "HTTP/fortiproxy.mt-test.local@MT-TEST.LOCAL" <<< Same as the principal name in the ktpass command on Windows Server set ldap-server "dc01" <<< the defined ldap server for authorization set keytab "BQIAAABNAAIACkJFUkJFUi5DT00ABEhUVFAAGlRPTllfRkdUXzEwMERfQS5CRVJCRVIuQ09NAAAAAQAAAAAKABcAEJQl0MHqovwplu7XzfENJzw=" <<< base64 encoded keytab data, created in step 5 of general setup next end
Have a look at the red highlight. We only can define one ldap server, no second one, no backup, nothing. So if this single server fails the whole thing is broken.
A bit confusing that most examples (and handbook) talk about config user ldap and then "edit" servername instead of domain name/realm which makes much more sense when theres a second and third server which can be defined. Thanks again to pointing me again in the right direction