Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
DC Agent Troubleshooting : DC Agent doesn't see some or all users
DC Agent doesn't see some or all users
DC Agent Troubleshooting | Web Protection Solutions | v8.5.x | 29-Apr-2022
If DC Agent is installed, but user and group policies aren't being applied, DC Agent might:
*
Not be able to contact the domain controller.
*
Be retrieving information from the wrong domain controller.
*
Have a corrupted or missing configuration file.
The following error may accompany the problem:
WSDCagent : Error reading Config File: dc_config.txt Erroneous Entry: <string>
To troubleshoot issues of this type, see:
*
DC Agent is not receiving domain controller information
*
Configure which domain controllers DC Agent polls
*
Uncover DC Agent communication issues
*
dc_config.txt file is missing or empty
*
Manually enable the Computer Browser service
DC Agent is not receiving domain controller information
DC Agent can misidentify users if it is unable to get data from domain controllers, resulting in incorrect filtering behavior. This can happen if:
*
DC Agent is not detecting all domain controllers in the network.
To see which domains and domain controllers DC Agent has identified, go to the Web > Settings > General > User Identification page in the Forcepoint Security Manager, and click View Domain List (under DC Agent Domains and Controllers). This lists all domains currently being polled by all DC Agent instances in your network. The instances polling each domain are listed in the DC Agent Instances column.
If one or more domains is missing from the list, or if an instance is not polling the correct domains, see Configure which domain controllers DC Agent polls.
*
DC Agent may not be able to identify the domain controllers in a particular domain.
Use the Windows Event Viewer to check for the following error:
ERROR_NO_BROWSER_SERVERS_FOUND -6118
If your network includes multiple subnets, DC Agent may have problems communicating with Master Browser or domain controller machines in other subnets. As a best practice, install a separate DC Agent in each subnet to avoid problems gathering logon information from domain controllers.
*
DC Agent and User Service may be configured to use an anonymous account. To change the account used to run DC Agent or User Service, see Updating DC Agent permissions.
*
DC Agent may not be able to contact a remote domain controller that has been shut down or restarted. See DC Agent: ERROR_BAD_NETPATH - 53.
Configure which domain controllers DC Agent polls
If DC Agent is attempting to poll domain controllers that don't exist, or if you have turned off automatic domain discovery and want to have DC Agent poll a new domain controller, edit the dc_config.txt file to configure DC Agent behavior.
1.
Go to the web protection bin directory (C:\Program Files\Websense\Web Security\bin, by default) on the DC Agent machine.
2.
Make a backup copy of the dc_config.txt file in another location.
3.
Open the original dc_config.txt file in a text editor (like Notepad).
4.
Confirm that all of your domains and domain controllers are listed. For example:
[WEST_DOMAIN]
dcWEST1.forcepoint.com=on
dcWEST2.forcepoint.com=on
[EAST_DOMAIN]
dcEAST1.forcepoint.com=on
dcEAST2.forcepoint.com=on
If there are domain or domain controller entries missing from the list, you can add them manually. Before adding entries, run the net view /domain command on the DC Agent machine to make sure that the agent can see the new domain.
5.
If there are entries in the list that DC Agent should not poll, change the entry value from on to off. For example:
dcEAST2.forcepoint.com=off
*
If you configure DC Agent to avoid polling an active domain controller, the agent cannot transparently identify users logging on to that domain controller.
*
If DC Agent's automatic domain discovery has detected a domain controller that should not be used to authenticate users, set the entry to off, rather than removing it. Otherwise, the next discovery process will re-add the controller.
6.
Save your changes and close the file.
7.
Use the Windows Services tool to restart the Websense DC Agent service.
Uncover DC Agent communication issues
In order to identify users, DC Agent uses DNS or NetBIOS to identify domains and domain controllers in the network. DC Agent may be unable to identify domain controllers if there are network communication problems, or DNS or NetBIOS configuration problems.
To identify these issues:
1.
Open a command prompt or Windows Powershell on the DC Agent machine.
2.
To verify that the DC Agent machine can see all required domains, use the net view command:
net view /network
3.
To check for DNS issues, use the nslookup command.
For example, to find out if DNS resolves the hostname "testmachine1":
nslookup testmachine1
If the DNS lookup succeeds, the result looks something like this:
Server: testdns.test.example.com
Address: 10.56.1.4
Name: testmachine1.test.example.com
Address: 10.56.100.15
Use a similar command to verify that a reverse DNS lookup will succeed for a dual-stack (IPv4 and IPv6) client with IPv6 address "::ffff:A.B.C.D":
nslookup ::ffff:A.B.C.C
If the DNS lookup succeeds, the result looks something like this:
Server: testdns.test.example.com
Address: ::ffff:A.B.C.C
If lookup does not succeed, make sure you have a reverse lookup zone for IPv6 in your DNS.
4.
If DC Agent is configured to use NetBIOS, attempt to telnet to a domain controller on port 139. If the telnet command is successful, you will see a blank screen. If unsuccessful:
*
A router, firewall, or other device may be blocking NetBIOS traffic.
*
NetBIOS may not be enabled, and the domain controller may not be listening on port 139. To check the status of the port, use the netstat command:
Windows:
netstat -na | find "139"
Linux:
netstat -na | grep 139
Configure DC Agent to use only NetBIOS for user identification
1.
Navigate to the web protection bin directory (C:\Program Files\Websense\Web Security\bin, by default) and open the transid.ini file in a text editor.
If the file does not exist, use a text editor to create a file called transid.ini, and add the following line to the top of the file:
[DCAgent]
2.
Locate the or add the UseNetBIOS parameter, then set its value to True. For example:
[DCAgent]
UseNetBIOS=True
3.
Save and close the INI file.
4.
Use the Windows Services tool to stop the Websense DC Agent service.
5.
Remove the XidDcAgent.bak file from the bin directory.
The file is recreated when you start DC Agent.
6.
Start the Websense DC Agent service.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
DC Agent Troubleshooting : DC Agent doesn't see some or all users
Copyright 2022 Forcepoint. All rights reserved.