Hi Alago

I've done some more research on the matter since my post, but I'm still getting the same issue.

I did enable NTLM on all the policies containing the FSSO groups.

According to the customer, whether they switch between wireless or wired connection, they are always able to ping the DNS entry (unsure whether this refers to the PC name or the AD Account). So it seem that, on their end at least, the DNS is updated when the workstation switches between wired and wireless IPs.

I should also mention that, with the workstation only using either wired or wireless, with the other disabled completely, everything is working fine. It's only on those workstations where users switch between the two mediums.

I might be asking this question incorrectly, but : What do people mean when they talk about the DNS entry that DHCP generates, is it the PC name, or the AD Account name that gets a DNS entry? And, is this the only thing that the FSSO needs to update the "logon user" list if a change happens?

JacquesSA wrote:

 

I might be asking this question incorrectly, but : What do people mean when they talk about the DNS entry that DHCP generates, is it the PC name, or the AD Account name that gets a DNS entry? And, is this the only thing that the FSSO needs to update the "logon user" list if a change happens?

FSSO knows the workstation name and every 60 seconds (default) will look it up to see if the IP changed.

In theory, the switch from wifi to wired -and viceversa- should be seen within 60 seconds.

The thing about Windows DHCP + DNS is that the workstation should register itself on the DNS server vía a dynamic update. If it does that, the owner of the DNS record is the workstation (just like when you create a file and you're it's owner). Windows DHCP server has the option of registering DNS records on behalf of the workstation when it doesn't support dynamic updates... or it can always do that if you configure it to do so.

 Then... let's say that the DHCP on "segment A" registered the record on behalf of the workstation, then you switch to "segment B" where the workstation register themselves on DNS... they wont be able because the DNS record is owned by the DHCP server.

 If you can see the IP change when do yo nslookup from the collector, it should be working.

So if I'm understanding this correctly, it's about who the 'owner' of the DNS record is. If it's the workstation, whether it changes between wired or wireless, the workstation will update the DNS record with it's IP and the FSSO will 'see' this update, but if the ownder is the DHCP server, when the workstation changes IP, FSSO doesn't read the update?

If the latter is the case, then the customer needs to make changes to the DHCP so that it does not register the DNS, but rather that the workstation registers the DNS?

JacquesSA wrote:

So if I'm understanding this correctly, it's about who the 'owner' of the DNS record is. If it's the workstation, whether it changes between wired or wireless, the workstation will update the DNS record with it's IP and the FSSO will 'see' this update, but if the ownder is the DHCP server, when the workstation changes IP, FSSO doesn't read the update?

 

If the latter is the case, then the customer needs to make changes to the DHCP so that it does not register the DNS, but rather that the workstation registers the DNS?

Yes, you may have this problem if the DNS records are not being updated when you switch from wired to wireless or viceversa (we had this problem at a customer's).

Check if they're being updated, if they aren't take a look at this: https://technet.microsoft...dd334715(v=ws.10).aspx

@alago

FortiOS = 5.4.3

Collector agent installed in Advanced on their largest DC, DC agents installed in 3 other DCs. All show up on 'monitored DCs' tab.

No other firewalls between DCs and Collector, nor between Collector and FortiGate.

Attached debug log from the Forti, struggling to get a debug log from the remote machine, but will try to do so as soon as I am able (though that will most likely only be tomorrow).

@Agent 1994

Thanks for explaining that, if that's the case, I'll ask our network team to investigate their DHCP/DNS to confirm it's set up correctly.

Hi,

Collector agent installed in Advanced on their largest DC, DC agents installed in 3 other DCs. All show up on 'monitored DCs' tab.

It's a best practice install the FSSO Collector in a non Domain Controller server.

No other firewalls between DCs and Collector, nor between Collector and FortiGate.

Not even the Windows Firewall? Please check if you have access to ports 389, 3268, 8002 from Fortigate to FSSO collector.

 

2017-09-05 15:59:06 _event_error[Local FSSO Agent]: error occurred in read: Connection refused

Viewin your log, seems to me that you have polling mode activated on your Fortigate.

Please take a look over @xsilver_FTNT awnser at this tread: [link]https://forum.fortinet.com/tm.aspx?m=140867[/link]

Hope it helps. If not, ill wait for the collector debug log.

@Alago

Sorry for the long wait, took a while to find someone who could get the log files for me. Had to cut the file a bit to keep under 200KB.

Telnet from the Fortigate I can access the server where the Collector is on port 389, 3268 but *not* 8002.

As for the Polling on the Fortigate, it shouldn't be running:

# diagnose debug fsso-polling detail fsso daemon is not running #diagnose debug authd fsso server-status 2017-09-12 10:45:59 Server Name                          Connection Status     Version -----------                          -----------------     ------- 2017-09-12 10:45:59 RBK_FSSO                             connected             FSSO 5.0.0254 2017-09-12 10:45:59 Local FSSO Agent                     waiting for retry     FSAE server 1.1 2017-09-12 10:45:59 RBK_FSSO_LDAP                        connected             FSSO 5.0.0254

  Checked FSSO configs to be sure, definitely did not select polling when setting it up. The checkbox for that option isn't even present in my GUI.

Are there any diagnose commands I can run to provide more information?

Hi

What do people mean when they talk about the DNS entry that DHCP generates, is it the PC name, or the AD Account name that gets a DNS entry?

When you ingress a PC to a Windows Domain, an entry A is automatcly created for this PC your DNS. If your DHCP is running over a windows server integrated to this domain, every time you have an IP change your DNS updates this A entry as well. That's why you can always resolve the hostname to the correctly ip address.

And, is this the only thing that the FSSO needs to update the "logon user" list if a change happens?

Actually the FSSO dont update anything. The FSSO collector receives that update change from the DC agents and send it to the Fortigate.

So, if you have a fully functionnal DHCP and AD DNS your FSSO should be working just fine.

Did you installed the DC Agent on every domain controller?

Is your FSSO collector installed on a Windows server integrated to your local domain but without the domain controller function(e.g. Print Server, IIS...)?

Do you have any firewall enabled between FSSO Collector, DC agents and Fortigate?

Can you send a debug log from the FSSO Collector?

Thanks in Advance