Which is the best way to use FSSO when I just have one Windows DC ? I saw that it is possible to configure the fortigate only to "query" the AD and nothing has to be installed on the AD. It is a good choice to just install the collector directly on the AD if I just have one AD ? Is the collector useful when there is just one AD ?
Well .. there are limits governed by max. values table .. but in fact I would not poll from FGT at all, or for very, very small domain environment. Let's say one DC.
Use standalone Collector Agent on DC or any domain member to do WinSec+WMI polling, or DCAgent, or mix of polling and DCAgent. That's much better and more scale-able solution. And Collector is distributed free of charge alongside with FortiOS on support portal.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.