Before we start a little disclaimer: this is posted as-is, it's not something I did using Fortinet's official documentation (AFAIK, there isn't any about the DC Agent installer), nor supported by Fortinet. Use at your own risk. This was tested on a lab environment with Windows Server 2016 and FSSO 5.0.0254. In a few days, I have to upgrade a customer's FSSO infrastructure and found that there's no method for upgrading the DC Agents on the domain controllers. I can uninstall/reinstall using the collector, or upgrade via RDP/console using manual installation. It wouldn't be a problem, but they have 31 DCs... So, reading some stuff about MSI files, checking installation logs, and some inspection using lessmsi I managed to do an unattended upgrade. Hands to work:What we need:sysinternal's [link=https://docs.microsoft.com/en-us/sysinternals/downloads/psexec]psexec[/link].the DC Agent installer found in Fortinet's support website, the EXE version, the MSI won't work (and I didn't have the time to figure out why).domain admin logged in a computer that's a member of the domain. (you can do this with a computer that is not member of the domain, using "NET USE", but I won't cover this here).upgrade the collector first.[/ul]Extract the MSI file:run the DC agent installer, up to the Fortinet Single Sign On DC Agent [link=https://vX.X.XXX]vX.X.XXX[/link] Setup screen, and don't go further.go to the temp folder (Windows + R, "%temp%" will do the trick) and locate a folder with a GUID-like name, look for the dcagentsetup.msi -or dcagentsetup64.msi- and copy that file to a location reachable by the DC you're going to upgrade (I'd suggest a network share, but you can copy it to each DC's C$ admin share). note that you can save this installer for other customers too, what we did here is just extract the .MSI inside the setup file.abort the installation.[/ul]For each DC:run the command "psexec \\DC-s msiexec /i \\SERVER\SHARE\dcagentsetup64.msi /qn /forcerestart REINSTALL=ALL REINSTALLMODE=vomus"after a while, you'll see this "error" message "msiexec exited on DC with error code 1641", code 1641 is "ERROR_SUCCESS_REBOOT_INITIATED"once rebooted, the DC agent upgrade is completed.[/ul]I've tested it in a lab with Windows Server 2016 and FSSO [link=https://220.127.116.11]18.104.22.168[/link], upgrading to 5.0.0271. It worked, and it mantained the settings (CA list, ignore list, etc.) after the upgrade.Tips:This can be used for the initial install of the DC Agents, it's kinda usesless because the Collector doest this for you but, just in case, you can add COLLECTORAGENTLIST="COL_1;COL_2;COL_N" IGNORELIST="IGNORE_1;IGNORE_2;IGNORE_N" to the command line and it will create -or overwrite- the configuration.If you're feeling really lucky -or willing to play the russian roulette ;) -, you may pass a DC list to psexec using @, more info at: https://community.spiceworks.com/how_to/1812-deploy-msi-files-using-psexec.[/ul]It's possible that we can further optimize this process, suggestions are welcome :) HTH.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.