If the collector Agent gets the username and workstation name ( either from the DC agent or security event log ), as a part of forming the fsso logon for the given user, the FSSO collector agent has to resolve the workstation name to get the current IP address of the workstation from which the user is logged in.

The FSSO name resolution logic works in this order:

1. Check the host file to find a possible entry for the given hostname. If no entry is found, move to step 2.

2. Try to do a DNS lookup with the configured Alternative DNS servers in the FSSO Collector Agent settings, if it fails, continue to step 3. If an Alternative DNS server is configured, that one is used by default for name resolution instead of the underlying OS'  DNS.

Example:

04/04/2022 15:28:10 [ 3708] DnsQuery() failed for JSMITH.test.lab, error code:9501
04/04/2022 15:28:10 [ 3708] DNS lookup: workstation name:JSMITH.test.lab, dns server:10.10.3.19, ip:00000000:00000000

3. Call Windows API function gethostbyname(), first with the full name, JSMITH.test.lab, then with the hostname only, JSMITH.
   In that step, the name resolution is handed over to the OS, so FSSO Collector Agent will rely on the results of the name resolution provided by the OS.

OS might resolve the name using one of these possible ways:

• Check the local DNS Cache.
• Query configured DNS servers.
• WINS, NetBIOS, LLMNR and etc..

Example:

04/04/2022 15:28:10 [ 3708] resolve_ip_internal: dns look up failed, call gethostbyname():JSMITH.test.lab
04/04/2022 15:28:10 [ 3708] resolve_ip_internal: workstation:JSMITH.test.lab [10.10.3.28:0.0.0.0] time:0

FSSO Collector agent does not have any control nor can influence the name resolution in that case. If this step also fails, move to step 4.

4. If steps 1, 2, and 3 fail, try to do a DNS lookup with the Alternative DNS suffix, which is configured under Advanced Settings of the FSSO Collector Agent, JSMITH.ad.test.lab

Related articles: