Re: FSSO DC Agent issue
in DCAgent mode every DC which can be possibly elected by Workstation as logonserver have to have DCAgent installed on.
If there is more then one Collector Agent, then all DCAgents has to be set to report to all Collector Agents.
Collector Agents are independent instances, creatine their own idea about logged on users (that's why step 2 is important). And the do NOT share any info in between each other. Therefore it is not any sort of sync or cluster. And as so then there is truly not a single passive or active unit.
FortiGate connector can have more then one Collector set. And for resiliency it is good to have 2 Collector Agents (at least, but two is sufficient minimum). However those then form a circular list. When first becomes unreachable, then second is used, if the last from the list becomes unreachable then first is used again. FortiGate is connected to a single Collector Agent at a time. If previously unreachable becomes reachable again, then FortiGates will keep currently used one, and there is nothing like fall back to previously active unit as you might expect in cluster with high/low priority units. Because as said there is no such thing like cluster in between Collector Agents. They are independent.
DCAgent can do DNS resolution, and does so by default, but it might slow down processing if that DNS is slow to response.
Collector Agent can also make DNS resolutions. By default via DNS servers set in underlying OS, or via set alternative DNS servers in Advanced settings. So if your DC DNS settings point to 3rd party like 220.127.116.11 then you can use that Alt.DNS to point Collector to your Domain DNS servers.
Perfectly working DNS, swift to respond and with accurate DNS records for workstations, with all workstation IP addresses (if there is more than one NIC in workstations) is CRICIAL for perfectly working FSSO.
Make sure all DCAgents report to both/all Collector Agents and check DNS setup.
Switch Collector Agent's log to Debug level and some 50MB size to learn more about delays from log.
And if you get stuck then open technical ticket on Fortinet support site. As customer, or through the partner.
Tom xSilver, planet Earth, over and out!