You already checked that, I guess : Possible issues[ul]
Start TLS extended request
LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
Multiple SSL certificates
Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
Pre-SP3 SSL certificate caching issue
If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate
If you're using "samaccountname" try changing Bind Type to "Regular" and then specifying a Username for a domain user account (e.g. domain user "fortigate_ldap" - doesn't have to be domain admin) in format "CN=fortigate_ldap,OU=....,DC=....,DC=....,DC=...
Can you run a capture to confirm that the tcp/636 packets are being issued by the Fortigate and are being received by the domain controller? This could be done either by installing wireshark on the DC or possibly by running a packet capture directly on the firewall itself
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.