FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 189814



This article explains how to disable the DNS resolution of the FSSO DCAgent.


Any supported version of FortiGate. This only applies to the FSSO DCAgent method.


When the user logs in, the DCAgent intercepts the logon event on the Domain Controller. It then resolves the DNS of the client and sends it to the Collector Agent. The Collector Agent receives it and performs a DNS resolution to check if the IP of the user has changed.

In some configurations, the double DNS resolution causes problems.
Usually, the log DCAgentLog.txt displays that there are too many requests in the queue and discards the logon event with information such as the following:
domain:XXX, workstation:XXX, user:XXX, request in queue:100001
To prevent resolving the DNS, configure a registry key on the Domain Controller that hosts the DCAgent:
donot_resolve = (DWORD) 1 at HKLM/Software/Fortinet/FSAE/dcagent

After changing the value, reboot the domain controller. This step is necessary.

The logs before changing the value looked similar to the following:
<date> <time>    [RECV_EVENT_FROM_DC]    packet_len:58 dcagent_ip: time:1447165567 data_len:41 ip:

After, they will look more like this:
<date> <time>    [RECV_EVENT_FROM_DC]    packet_len:58 dcagent_ip: time:1447165567 data_len:41 ip: