Description
This article explains how to disable the DNS resolution of the FSSO DCAgent.
Scope
Any supported version of FortiGate. This only applies to the FSSO DCAgent method.
Solution
When the user logs in, the DCAgent intercepts the logon event on the Domain Controller. It then resolves the DNS of the user and sends it to the Collector Agent. The Collector Agent receives it and performs a DNS resolution to check if the IP of the user has changed.
In some configurations, the double DNS resolution causes problems. Usually, the log DCAgentLog.txt displays that there are too many requests in the queue and discards the logon event with information such as the following:
"Too much request in the queue, discard this logon event, domain:xxx, workstation:xxxx, user:xxxx, request in queue:100001"
Be sure to enable DC Agent logging as described here:
To prevent resolving the DNS, configure a registry key on the Domain Controller that hosts the DCAgent:
donot_resolve = (DWORD) 1 at HKLM/Software/Fortinet/FSAE/dcagent
After changing the value, reboot the domain controller. This step is necessary.
The logs before changing the value looked similar to the following:
<date> <time> [RECV_EVENT_FROM_DC] packet_len:58 dcagent_ip:172.16.8.123 time:1447165567 data_len:41 data:PC.example.com/EX_DC/user ip:172.16.1.10:172.16.2.10
After, they will look more like this:
<date> <time> [RECV_EVENT_FROM_DC] packet_len:58 dcagent_ip:172.16.8.123 time:1447165567 data_len:41 data:PC.example.com/EX_DC/user ip:0.0.0.0
