The Edge SWG(ProxySG) or Advanced Secure Gateway(ASG) is unable to join the Active Directory(AD) domain after upgrading to SGOS versions 6.5.10.6, 6.6.5.5, 6.7.2.1 or higher.

"NERR_DCNotFound" error would popup upon joining domain.

Current versions of Edge SWG or ASG will contact Domain Controllers (DCs) in the local AD Site where Edge SWG belongs to, if AD site is configured. This feature is called "site awareness". Site awareness was added to avoid any network related issues between sites when contacting to remote DCs which would result in performance problems. If the site has only a Read-Only Domain Controller, the Edge SWG would contact the Read-Only DC as it also belongs to the same local AD site as the Edge SWG.  Joining the Edge SWG or ASG to the domain would then fail since Read-Write DCs are required, but not available locally.

Earlier SGOS versions would worked because the Edge SWG or ASG would contact remote DCs in addition to local DCs during joining process.

In SGOS versions 6.5.10.8, 6.6.5.13, 6.7.3.11 and 6.7.4.107, and later introduce a parameter to toggle site awareness behavior now present in previous SGOS versions in order to allow the Edge SWG or ASG to join remote domains if required.

From the CLI:

en
conf t
security windows-domains
site-aware disable

By default site awareness is enabled that is, the Edge SWG or ASG would query only local DCs from a specific Active Directory Site. However once site awareness is disabled, the Edge SWG or ASG would revert to previous behavior and query all sites for DCs during joining process which would alleviate this issue.

Another workaround would be to introduce a Read-Write DC to the local AD site.