Description
This article provides tips and troubleshooting steps to resolve different possible issues that prevent the FSSO Collector Agent from pushing the DC agent to the Domain Controller.
Scope
FortiGate.
Solution
See the following document for steps on how to install the FSSO DC Agent:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/573568/installing-the-fsso-agent
There are 4 possible reasons why the FSSO Collector Agent is unable to push the DC agent to the Domain Controller:
1) The collector agent is running on an account that is not an administrator account and therefore does not have the necessary privileges to push the DC agent.
2) The remote registry service is not running. See below for steps on how to check and resolve this.
3) The windows/system32 directory is not accessible with the correct write permissions on the remote server.
4) The Domain Controller has ports 139 and 445 blocked. Make sure that no host or network firewalls are blocking these ports from the collector agent to the server.
The remote registry service is not running:
Errors such as 'Failed to modify remote registry' may be encountered if the registry key service has failed to start or services that it depends on (such as RPC) are disabled on a Windows system.
RemoteRegistry is a Win32 service. In Windows 10, RemoteRegistry is disabled by default:
Remote Registry cannot be started under any conditions if the Remote Procedure Call (RPC) service is disabled. It is a dependency.
When the Remote Registry service starts, it runs as NT AUTHORITY\LocalService in a shared process of svchost.exe, along with other services.
To start the Remote Registry service on a Windows system, first go to ‘Run’ (Windows Key + R), enter 'services.msc' and select OK.
When the services GUI interface appears, find the Remote Registry service:
Make sure that the Startup type parameter is set to 'Automatic' and select Start. When service status is running, it enables the remote users to modify registry settings of the windows workstation.
In some situations, the 'Remote Registry' service is not listed in the Services GUI:
If this is the case, enable it through regedit (Registry Editor):
In the Registry Editor (regedit), navigate to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry.
Check if the value for 'Start' is set to 3. If it is not, change it to 3.
Afterwards, repeat the installation process. The DC Agent will install successfully.
Other possible reasons for a DC agent installation failure:
3) The windows/system32 directory is not accessible with the correct write permissions on the remote server.
4) The Domain Controller has ports 139 and 445 blocked. Make sure that no host or network firewall are blocking these ports from the collector agent to the server.
If none of these fixes resolve the issue, try using the standalone FSSO installer downloaded from the support.fortinet.com website:
- 32-bit: DCAgent_Setup_5.0.0289.exe
- 64-bit: DCAgent_Setup_5.0.0289_x64.exe
