Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate and active directory integration

Good evening everyone,
i am unable to correctly configure the integration of an fgt100e on active directory... in particular i am referring to DNS filtering.

With my current configuration in the DNS filter logs i don't see the origin of the requests from the clients connected to the domain, i always see that all dns requests come from the domain controller.

The domain is still old type like mycompany.local and we recently introduced 365 and added a upn, a detail not to be underestimated (iI think).

the fortigate is gateway of the main network with the ip address, the main domain controller is and the secondary 1.2, both Windows Server 2022.
the connected PCs (w10/w11) use two DNS 1.1, 1.2.


I've tried everything now, here's the first doubt.
dns forwarders on domain controllers, do i have to enter the IP address of the fortigate?

use root hints checked or not? (i think no).

my goal, if it is easily manageable, would be to block the use of public DNS from the internal network by passing everything through the fortigate...


example img:


In the Fortigate DNS logs i find these damned unknow query types ... 


and while i was writing it also occurred to me another problem regarding other dns error like _ldap._tcp.site1._sites.domaincontroller1.mycompany.local , query type SRV, blocked (implicit deny).
this error appears when doing a test, using fortinet as a dns server on a win client, i think it concerns _msdcs.mycompany.local. I was thinking about the zone transfer... I have doubts about this too.






Furthermore, the fact that we have currently added the upn to the mycompany.local domain worries me about a possible DNS leakage... is it real or just my fantasy?

if someone is willing to help me even by paying for the service, there is no problem.

I have a headache... :)



What is the main goal here, you just want to apply DNS filter for end hosts?

The simplest way I'm thinking of is to leave the public forwarders configured in the DCs, configure FGT to use the DC as primary DNS servers, configure the DHCP scopes to give the GW as DNS to end host and filter the DNS traffic of end hosts only. If you don't want to add any domain or DNS records on the FGT you can leave it to forward all the requests to the DC:


- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors