1) The Umbrella Connector service pulls logon events with ID 4624, 528, 540, 538, 4647, 4634, 4768, and 4769 from the Windows Event Viewer on all Domain Controllers in the same Umbrella Site as the Connector server. Those logon events include AD User/Computer name and the IP address of the workstation.
2) The Connector forwards a summary of new FOUND EVENT entries to all of the Virtual Appliances in the same Umbrella Site. Note: the Connector will cache logon event information to optimize performance, so summaries are not always sent. Also, summaries are not sent for AD Users, AD Groups, or IP addresses that have been added to the Umbrella Service Account Exceptions list. For more information about this list, please see:
3) Each individual VA uses the summary to create a mapping file between the IP address and the Active Directory User/Computer.
4) When a DNS request is sent to a VA from a particular IP address, the mapping file is used to find the associated AD User/Computer.
5) The User/Computer determines the policy for the request, and identifies the request in reports.
-- A user logs in to the AD domain using a DC that has been registered with Umbrella.
-- An Umbrella Connector in the same Umbrella Site as that DC forwards a summary to all VAs in that same Umbrella Site.
-- DHCP or some other method ensures that the user's DNS servers are VAs in the same Umbrella Site as that DC.
-- DNS requests from the user are properly identified by Umbrella.
Conversely, suppose a user logs in to the AD domain using a DC that has NOT been registered with Umbrella. The Umbrella Connector never sees the logon event, and has no AD User/Computer + IP address to forward to the VAs. The VAs will not add/edit a mapping entry. DNS requests from the user will not be associated with the user (unless there was something cached).