Deoloyment new server Windows Sever 2025

Hi Suhaib Mohammad,

I just wanted to follow up and see if your issue has already been resolved. If you still need any clarification or additional help, please feel free to reply here. If the previous information helped solve your problem, consider marking the response as “Accept Answer” so it can assist other community members as well. Thank you!

Hi Suhaib Mohammad,

After reviewing the environment and the recent deployment of the new Domain Controller running Windows Server 2025, the issue may be related to compatibility between the current Fortinet Single Sign-On (FSSO) Collector Agent version 5.0.0330 and the new server operating system. In many environments, FSSO collects user authentication information by reading logon events from the Security Event Logs on the Domain Controllers. When a newer operating system such as Windows Server 2025 is introduced, the event log structure or access behavior can sometimes change. If the collector agent cannot properly read these log events from the new Domain Controller, it will fail to capture user authentication activities. As a result, the firewall cannot associate user identities with their IP addresses, which leads to firewall policies based on user or group identity not being applied correctly and causes disruptions to user internet access.

Another possible cause is related to authentication traffic being redirected to the newly deployed Domain Controller after it was promoted. Once DC5 becomes active in the environment, many user authentication requests may start being processed by this server. If the FSSO Collector Agent is not monitoring DC5 correctly or cannot communicate with it, the authentication events generated on that server will not be collected. This prevents the firewall from receiving updated login information for users who authenticate through DC5, which results in the firewall treating those users as unknown and therefore not applying the intended security policies.

To resolve the issue, the first step is to verify the compatibility of the FSSO Collector Agent with Windows Server 2025 and upgrade the collector agent to the latest supported version if necessary. After upgrading, the FSSO services should be restarted to ensure the collector begins monitoring authentication events correctly. It is also recommended to verify that DC5 appears in the monitored Domain Controller list within the collector agent configuration so that authentication logs from the new server are being collected properly.

The next step is to verify that the FSSO service account has the required permissions to access the Security Event Logs on all Domain Controllers, including DC5. Ensuring that the account has sufficient privileges will allow the collector to read login events without restriction. At the same time, network connectivity between the collector agent and the Domain Controllers should be confirmed to ensure there are no communication issues preventing event collection.

Finally, the overall health of the Active Directory environment should be validated to ensure replication and domain services are functioning normally across all Domain Controllers. This can be done using the following diagnostic commands to verify replication status and domain controller health:

repadmin /replsummary

dcdiag /v

In addition, checking whether authentication events are being generated and recorded on DC5 can help confirm that the server is functioning correctly:

Get-EventLog -LogName Security -InstanceId 4624 -Newest 10

Once the collector agent can successfully read authentication events from DC5 and Active Directory replication is confirmed to be healthy, the firewall should begin receiving accurate user-to-IP mapping information again. This will allow user-based security policies to function properly and restore normal internet access for users.

If this was helpful, please click "Accept Answer". If you have any further questions, you can leave a comment. Have a great day!

TV

The described symptoms point to domain controller and network issues after introducing the Windows Server 2025 DC, not to a known specific bug with those three services. From the provided context, only one relevant Windows Server 2025 issue is documented that can directly affect domain connectivity and therefore internet access and policy enforcement.

On Windows Server 2025 domain controllers, there was a known issue where, after a restart, the DC did not apply the domain firewall profile and instead used the standard firewall profile. This could cause:

• The DC to be unreachable or only partially reachable on the domain network.
• Ports and protocols that should be blocked by the domain firewall profile to be open, or required ports to be blocked.
• Applications and services depending on the DC (such as authentication, group policy, and possibly FSSO or similar identity-based firewall integrations) to fail or behave inconsistently.

This aligns with the disruption to user internet access and security policy enforcement after promoting the new Windows Server 2025 DC.

Resolution and mitigation steps from the context:

1. Ensure the Windows Server 2025 DC is fully updated
   • Install the June 10, 2025 Windows security update (KB5060842) or any later cumulative update on the Windows Server 2025 domain controller. This update resolves the issue where domain controllers manage network traffic incorrectly after restarting.
   • Once this update (or a later one) is installed, the DC should correctly use the domain firewall profile after restarts.
2. Temporary workaround if the DC is not yet updated
   • If the DC is still on a build prior to KB5060842 and cannot be updated immediately, restore expected behavior after each restart by restarting the network adapter on the DC. For example, in an elevated PowerShell session on the DC:

          Restart-NetAdapter *
     

   • Because the issue reoccurs on every restart, this workaround must be repeated each time the DC restarts. A scheduled task can be created to run Restart-NetAdapter * at startup to automate this until the update is applied.
3. Impact on FSSO and user internet access
   • If the firewall/FSSO solution depends on stable connectivity to domain controllers (for user logon tracking, group membership, or security policy application), any intermittent or incorrect firewall profile on the DC can break:
     • User authentication visibility for the firewall.
     • Group-based or user-based internet access rules.
   • Updating the DC to include KB5060842 or later should stabilize DC network behavior and remove this source of disruption.
4. Role of the mentioned services
   • The context does not document any known Windows Server 2025 issues specifically tied to Intersite Messaging (IsmServ), Sync Host (OneSyncSvc), or Clipboard User Service (cbdhsvc) causing domain-wide internet access or policy enforcement problems.
   • Focus should therefore be on ensuring the DC’s OS build includes the fix for the firewall profile issue and verifying that, after update and reboot, the DC is reachable and correctly applying domain firewall profiles.

Summary of recommended actions:

1. On DC5 (Windows Server 2025), install the June 10, 2025 security update KB5060842 or any newer cumulative update.
2. Until updated, after each reboot of DC5, run Restart-NetAdapter * (or use a startup scheduled task) to restore correct domain firewall profile behavior.
3. After updating, verify:
   • Clients can reliably authenticate against DC5.
   • FSSO or equivalent firewall integration sees user logons correctly.
   • Group policies and security policies are applied as expected.

References:

• Resolved issues in Windows Server 2025