Fortigate 80F 6.4.10 single domain / 3 subnets / one DC per subnet.
We have Security Fabric / External Connectors / AD Connector set up with 3 AD connectors, one for each DC.
I see that there are Connector Objects for each AD Connector - we have made the all the same. So, that's a lot of connector objects it might seem.
We want to have redundancy, thus 3 DCs. So, it seems consistent for each AD connector to have all the Connector Objects.
Is that good practice? Or should only one AD Connector be populated with Connector Objects?
Also, we have added each and every AD User and we have added an AD Group with all the same users.
This seems appropriate. Is it?
In one AD Connector, we are unable to add those AD Groups - get an error that there are too many.....
Thus this question.
Solved! Go to Solution.
@fred339 I believe @aahmadzada is saying to avoid using the "Poll Active Directory Server" connector in the foritgate and instead use the "FSSO Agent on Windows AD" connector
It can work that way but in larger environments and multiple dcs it can add an increased load on the domain controller or could cause you to reboot the domain controller for updates.
In general Microsoft recommends to not run any other applications or services on a domain controller.
@distillednetwork Thank you!! Well, that's what I'm doing so I guess at least that part has been focused.
Created on 10-25-2022 07:41 AM Edited on 10-25-2022 07:41 AM
Thank you! Very helpful to get the terminology straightened out!
I'm not grasping all of this yet. I have DC Agents on all the DCs.
I have FSSO connectors on the Fortigate.
I have an FSSO Agent installed on all of the DCs but, it appears, am only really using one of them.
Are you saying that to use DC Agent Mode, one has to have a separate Windows Server to run FSSO Agent?
It seems to be working....
That is exactly what I meant!
Thanks @distillednetwork
I'm still a bit worried as our configuration / architecture isn't what was advised.
Our collector is running on one of the DCs. Why is that not advisable? It seems to be working fine.
It can work that way but in larger environments and multiple dcs it can add an increased load on the domain controller or could cause you to reboot the domain controller for updates.
In general Microsoft recommends to not run any other applications or services on a domain controller.
OK - thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.