Just a few FAC tips and info's...
While LDAP(s) is one of the main Windows AD authentication protocol, it isn't very convenient or best practice at the edge level.
Typically, an Enterprise based Users Authentication scheme would leverage RADIUS from any edge facing devices on a RADIUS Server. The latter would interface your internally seated LDAP(s) systems.
In order to achieve MSCHAPv2 end to end authentications, FAC needs to join the given AD domain as a domain entity. To achieve this, you need to address the AD Domain Controller DNS Server from FAC itself, so Microsoft AD specific domain names lookup will succeed.
If you've been using a previously delpoyed BIND DNS or else, then, simply re-route the AD DC DNS Server to any FortiGate or else internal DNS Server.
Once FAC is DC joined, you'll need to create you're remote users, remote users synch rules etc.. This in order to map RADIUS requests towards the correct LDAP entities. As well this will provide a way to filter out users according to RADIUS attributes or RADIUS client filtering.