Check the following settings on the User-ID Agents.
Enable WMI and Disable netbios lookups (Recommended) .
File>Debug : Set the Debug level to None (Debugging could be set if needed).
Please make sure customer local agent is only doing a user to ip mapping for its local DC subnet. It should not be doing a mapping of the remote DC subnet.
So if your agent is reading secuirty logs from one DC only and you have muliple agents reading secuity logs from multiple DC, then you configure those agent on the pan and the PAN would read the user to ip mapping from all the agents.
Please do keep in mind that Communication between the DC and the Agent over the WAN is a bit chatty. Thats why make sure local agent only doing user to ip mapping for its local DC subnet and not be doing a mapping of the remote DC subnet.
How does your settings look like?
If you run pan-agent directly on the Domain Controller servers I think you can set 127.0.0.1 as Domain Controller Address.
Then you limit in Allow List (and if needed in Ignore List aswell) which ip ranges your clients uses.
So if this particular DC only handles for example 10.0.1.0/24 then add this as Allow List.
One tricky part if your AD is distributed (regarding allow/ignore list) is if the local DC's dont answer to the client request any other DC can verify and log the ip<->user in its security log.
This gives if you have a 1:1 relation between PAN-agent and DC server (either dedicated machine or runned directly on the DC server) you will have less chat on the network (and if segmented (the local DC's refuse to answer login attempts from remote user of another site) the WMI chat straight to the clients will be less over WAN aswell).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!