on Nov 12, 2018Article Content
| Article Number | 000036945 |
| Applies To | RSA Product Set: NetWitness Logs and Network RSA Product/Service Type: NetWitness Logs and Network RSA Version/Condition: 11.2, 11.3 |
| Issue | Active Directory failing to connect to event sources after 11.2 and higher upgrade. Once the 11.2 and higher upgrade has been completed, it moved the contents of the /etc/resolv.conf to the /etc/netwitness/platform/resolv.conf.dnsmasq and the UI server (Node-Zero) started acting as a DNS proxy server. All other devices have the /etc/resolv.conf that now points to Node-Zero as the DNS Server. |
| Cause | In version 11.2 and higher, we changed the architecture to create Node-Zero as a DNS Proxy server. Currently, the DNS proxy does not resolve short names. |
| Resolution | In order to resolve this issue, replace the /etc/resolv.conf with the correct information that can be found on node-zero in the /etc/netwitness/platform/resolv.conf.dnsmasq Note: 11.3 update makes resolv.conf as immutable. Hence, Step1 applicable for 11.3 environment only.
Note: Log collectors will need to have the collection services restarted if using short name lookup for WinRM. |
| Workaround | Make sure that the /etc/resolv.conf is the same across all systems, the correct one is located on UI Server (Node-Zero) in the /etc/netwitness/platform/resolv.conf.dnsmasq. Use this as the example to place the same information for all system. |