For Agentless User-ID, the Palo Alto Networks device sends a standard query to the DNS server configured on the device. The DNS server must be a local DNS server that's part of the domain or a third-party DNS server that knows all the domain mappings.
Note: PAN-OS User Mapping (Agentless User-ID) is a feature introduced in PAN-OS 5.0.
Details
The following is a screenshot of a working query:
The query above should give the following result:
Possible Issues
No configured domain
If a domain is not configured, a "No domain configured" error appears.
The domain is configured in General Settings on the Device > Setup page under Management.
Issues with the configured DNS server. You can have multiple issues with the DNS server:
No DNS server is configured on the Palo Alto Networks device.
An internal DNS server is configured, but it does not have all the necessary domain mappings.
A public DNS server is used. The following is an example of a capture where a public DNS is used: