Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
admiralsulu
New Contributor

FSSO and replacing Domain Controllers

currently we use FSSO to manage internet access allowed to users based on their AD group.

FSSO gets the info from our two DNS\ DCs

 

this weekend we will be replacing our DCs, the final step will be to assign the IP addresses of the two old DCs to the new ones.

 

so how does that affect FSSO?  do I still need to create new AD entries on each of our fortinets for the new DCs, then change the IP on each at the end?

2 REPLIES 2
Kenundrum
Contributor III

Are you using on-firewall polling? Or are you using FSSO agent collectors? I know that my pet peeve about the agent collectors is that they don't automatically update even if you reuse the IPs. It seems to refer to the unique identifiers for the domain controllers and not the IPs. When we cycled through replacing old DCs with newer versions of windows, we had to go through the FSSO agent config and click all the newly created checkboxes and then sync those configs to other collectors. I'm not sure how the process on the firewall itself works.

CISSP, NSE4

 

CISSP, NSE4
admiralsulu

we are using the collector agent that run on two servers.  one as backup.

so sounds like I would have to go and edit the two active DC agents on each server.

 

did you also have to go into each fortinet and add the new DCs even though you ended up reusing the IPs?

would not surprise me if you have to, since the names will change even though the IP will not (eventually)

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors