**Option 2 — Windows Collector Agent in Polling mode (CA polls DCs)**
-
What it is: You install only the CA on a Windows server, and it polls DCs for logon events.
+
What it is: You install only the CA on a Windows server, and it polls DCs for logon events.
+
Why choose it: “No 3rd‑party software on Domain Controllers” — simpler politically/operationally in many orgs.
+
Polling methods you may see/tested:
NetAPI polling (fast, but may miss some logons if DC is heavily loaded).
@@ 102,6 104,33 @@
Ports/traffic: Polling uses Windows remote access mechanisms (SMB/RPC/WMI), which can mean more overhead than DC-Agent mode
+
**Option 3 — Windows Collector Agent + DC Agents (DC Agent mode)**
+
+
What it is: Install DC Agent on every DC + a Collector Agent (usually not on the DC if you want to isolate resources).
+
+
Why choose it: Fortinet calls this recommended for large user environments due to scalability/performance, and it’s considered very reliable for capturing logons.
+
+
Tradeoffs: Requires installs + typically reboots after DC Agent install, plus ongoing maintenance on all DCs.
+
+
Comms (useful detail): The CA communicates with FortiGate over TCP/8000, and DC/TS agents commonly use UDP/8002 to update the CA.
+
+
### Collector Agent
+
+
**Windows Collector Agent: Standard vs Advanced**
+
+
This is a common exam gotcha because it affects group resolution and filtering.
+
+
Standard mode
+
+
Group/user format is simpler (e.g., DOMAIN\user).
+
Often used when you want easier group handling and/or when LDAP access constraints exist.
+
+
Advanced mode
+
+
Uses LDAP Distinguished Name style group info (DN) and enables better parsing, including nested groups (a major real-world reason to use it).
+
+
Fortinet notes that certain group-filter designs and integrations require Advanced mode in practice.
