Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fred339
Contributor

Created on ‎10-22-2022 02:04 PM

Active Directory Connectors and Connector Objects

Fortigate 80F 6.4.10 single domain / 3 subnets / one DC per subnet.

We have Security Fabric / External Connectors / AD Connector set up with 3 AD connectors, one for each DC.

I see that there are Connector Objects for each AD Connector - we have made the all the same.  So, that's a lot of connector objects it might seem.  

We want to have redundancy, thus 3 DCs.  So, it seems consistent for each AD connector to have all the Connector Objects.  

Is that good practice?  Or should only one AD Connector be populated with Connector Objects?

 

Also, we have added each and every AD User and we have added an AD Group with all the same users.  

This seems appropriate.  Is it?

In one AD Connector, we are unable to add those AD Groups - get an error that there are too many.....

Thus this question.

Fred Marshall
Fred Marshall
Labels:
5978
0 Kudos
2 Solutions
distillednetwork
Contributor III
In response to fred339

Created on ‎10-24-2022 09:26 AM

@fred339 I believe @aahmadzada is saying to avoid using the "Poll Active Directory Server" connector in the foritgate and instead use the "FSSO Agent on Windows AD" connector

connectors.png

View solution in original post

5928
distillednetwork
Contributor III
In response to fred339

Created on ‎10-25-2022 04:42 PM

It can work that way but in larger environments and multiple dcs it can add an increased load on the domain controller or could cause you to reboot the domain controller for updates. 

In general Microsoft recommends to not run any other applications or services on a domain controller. 

View solution in original post

5852
15 REPLIES 15
fred339
Contributor
In response to distillednetwork

Created on ‎10-24-2022 09:57 AM

@distillednetwork Thank you!!  Well, that's what I'm doing so I guess at least that part has been focused.

Fred Marshall
Fred Marshall
2048
0 Kudos
fred339
Contributor
In response to distillednetwork

Created on ‎10-25-2022 07:41 AM Edited on ‎10-25-2022 07:41 AM

@distillednetwork 

Thank you!  Very helpful to get the terminology straightened out!

I'm not grasping all of this yet.  I have DC Agents on all the DCs.
I have FSSO connectors on the Fortigate.

I have an FSSO Agent installed on all of the DCs but, it appears, am only really using one of them.

Are you saying that to use DC Agent Mode, one has to have a separate Windows Server to run FSSO Agent?

It seems to be working....

Fred Marshall
Fred Marshall
2015
0 Kudos
aahmadzada
Staff
Staff
In response to distillednetwork

Created on ‎10-25-2022 08:27 AM

That is exactly what I meant!
Thanks @distillednetwork 

Ahmad
2014
0 Kudos
fred339
Contributor

Created on ‎10-25-2022 01:49 PM

I'm still a bit worried as our configuration / architecture isn't what was advised.

Our collector is running on one of the DCs.  Why is that not advisable?  It seems to be working fine.

Fred Marshall
Fred Marshall
2007
0 Kudos
distillednetwork
Contributor III
In response to fred339

Created on ‎10-25-2022 04:42 PM

It can work that way but in larger environments and multiple dcs it can add an increased load on the domain controller or could cause you to reboot the domain controller for updates. 

In general Microsoft recommends to not run any other applications or services on a domain controller. 

5853
fred339
Contributor

Created on ‎10-25-2022 06:07 PM

OK - thanks!

Fred Marshall
Fred Marshall
2001
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.