|Applies To||RSA Product Set: NetWitness Logs and Network|
RSA Product/Service Type: NetWitness Logs and Network
RSA Version/Condition: 11.2, 11.3
|Issue||Active Directory failing to connect to event sources after 11.2 and higher upgrade.|
Once the 11.2 and higher upgrade has been completed, it moved the contents of the /etc/resolv.conf to the /etc/netwitness/platform/resolv.conf.dnsmasq and the UI server (Node-Zero) started acting as a DNS proxy server. All other devices have the /etc/resolv.conf that now points to Node-Zero as the DNS Server.
|Cause||In version 11.2 and higher, we changed the architecture to create Node-Zero as a DNS Proxy server. Currently, the DNS proxy does not resolve short names.|
|Resolution||In order to resolve this issue, replace the /etc/resolv.conf with the correct information that can be found on node-zero in the /etc/netwitness/platform/resolv.conf.dnsmasq|
Note: 11.3 update makes resolv.conf as immutable. Hence, Step1 applicable for 11.3 environment only.
Note: Log collectors will need to have the collection services restarted if using short name lookup for WinRM.
|Workaround||Make sure that the /etc/resolv.conf is the same across all systems, the correct one is located on UI Server (Node-Zero) in the /etc/netwitness/platform/resolv.conf.dnsmasq. Use this as the example to place the same information for all system.|