Lack of identifiable user activity with Heartbeat or STAS

Question

Network consists of Cisco enterprise switches and interVLAN routing happens in a core switch statck. 
 Links secondary stacks and to servers are PortChannel groups on 10G media. Uplink to Firewall is 1G on the default VLAN as internet traffic is secondary to the primary business traffic between their servers, manufacturing equipment and end users. 
 In current activities, 3 users are identified (off of VLAN 501). Another 12 or so are IPsec remote access VPN users. The other remaining 170 users are unidentified. On Domain Controllers, STAS shows a number of Live Users in Advanced > Show Live Users. Running a packet capture, see traffic from Firewall to DCs. 
 Found a mis-configured Windows Defender firewall rule and now STAS is working. Set Windows DCs to allow inbound port UDP 6677. Users are now showing up in the firewall live users. 
 
 I see the Heartbeat is sent every 15 seconds. 
 https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SophosCentral/SecurityHeartbeatOverview/SecurityHearbeat/index.html#identification-of-endpoints 
 Packet capture shows a large amount of traffic from the LAN IP addresses to 52.5.76.173 on TCP port 8347. 
 
 Why would Sophos Firewall not be able to identify users based on heartbeat?

DavidSain · Answer

I narrowed down why Heartbeat isn't working. The tech that built out authentication > servers entered an invalid search domain on the server that matches the user's domain.

For example, the public domain is contoso.com. Users use a UPN of user@consoso.com. The AD domain is setup as hq.contoso.com. Instead of setting the search domain to dc=hq,dc=contoso,dc=com, they set it to dc=contoso,dc=com, a non-existent AD domain.