I have 1 domain and 4 domain controllers. My Organisation is split over 2 sites but connected by a layer 2 link.
Active Directory has 2 sites. Default First Site and Second Site.
I have an Internet connection at each site.
I have a Fortigate at each site.
Workstations at each site register the logon events in the domain controllers at their site as expected.
At the moment my config is as follows
Site1
DC1 = Collector agent and DC agent installed. FortiGate firewall/FSSO Agent looking at DC1
DC2 = DC agent pointing at DC1 collector agent
Site2
DC3 = Collector agent and DC agent installed. FortiGate firewall/FSSO Agent looking at DC3
DC4 = DC agent pointing at DC3 collector agent
Essentially, I am trying to keep everything on the sites separate. The reg keys (CA) have the correct IP addresses.
However, within 'Show logon Users' on the FSSO agent, I see users from the other site (for both sides). 90% of users are for the correct site but 10% are from the other site. I am not sure how they are getting into there.
Show Monitored DCs has the 2 Domain controllers for each site (the don't have all 4 connected).
Is my setup wrong?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @insuirin
If these are separate locations and have different user database for each domain controller ,make sure that on DC Agents you have configured correct CA IP there, when you open DC Agent Configuration Utility on the right side you will see Collector Agent List ,make sure that IPs are correct there.
It is a single Active Directory domain with two 'sites' within AD Sites and Services. Logon events are generated in their respective domain controllers.
For example. In Site 1 (Default First Site), anyone on those subnets will have their logon event generated in either DC1 or DC2.
I have checked the CA list within the registry and it only shows the IP addresses for their respective sites so this is configured correctly. For example, DC1 and DC2 only have the collector agent IP address of DC1. DC3 and DC4 only have the collector agent of DC3.
I am just curious as to why some of the users (from Show Logon Users) is showing from the other site. It's only circa 10% of users. (90% are from the correct site.
Hi @insuirin,
On the FortiGates, please make sure it is pointing to their respective FSSO Agent on their site. Also on the FSSO Agent, please check Monitored DCs.
Regards,
Given that you've confirmed that logon events are correctly generated at their respective domain controllers based on AD Sites and Services, and that the collector agents' configurations appear correct, a few possibilities remain:
User Mobility: One straightforward possibility is user mobility or device mobility. If users from Site 2 occasionally visit Site 1 (or vice versa) and log onto machines, their logon events would appear in the "unexpected" site. The same goes for laptops or devices that might be moved between sites.
VPN or Remote Access: If you have VPNs or other remote access solutions in place, and users from one site connect to the other site's resources, their logon events might get recorded at the remote site's DCs. This could happen, for instance, if a user from Site 2 remotely accesses a server or resource at Site 1.
Application or Service Authentication: Sometimes, specific applications or services might authenticate against a DC that's not in their AD site. For example, an application server in Site 1 could be authenticating users against a DC in Site 2 for certain tasks, leading to those logon events appearing in the "wrong" site.
AD Replication or Trusts: Ensure that there isn't any misconfiguration with AD replication that might cause logon events to be replicated across DCs. Also, if there are any trusts (even within the same domain), they might cause unexpected authentication behaviors.
Stale or Cached Sessions: Stale sessions or cached logon information could cause users to appear in the FSSO "Show Logon Users" list even if they aren't actively logged on from that site.
FSSO Polling Behavior: FSSO agents actively poll the DCs for logon events. It's possible, though less likely, that there's a minor glitch or bug causing some events to be picked up incorrectly. Consider checking if your FSSO agents and FortiGate devices are running the latest recommended firmware or software versions. Sometimes, updating or even just restarting services can resolve unexpected behaviors.
It might be helpful to further diagnose by cross-referencing the specific users or devices that appear in the wrong site with actual network activities. Check their recent logon history, any applications or services they might have accessed, or any recent changes to their user profiles or group memberships. This deeper dive might provide more clues as to why they're appearing in the unexpected FSSO list.
Regarding your point 1. I do have users who move between sites. Let me dig further.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.