Unable to join ProxySG or ASG to domain with error "NERR_DCNotFound"
Last Updated October 11, 2018
The ProxySG or Advanced Secure Gateway(ASG) is unable to join the Active Directory(AD) domain after upgrading to SGOS versions 126.96.36.199, 188.8.131.52, 184.108.40.206 or higher.
"NERR_DCNotFound" error would popup upon joining domain.
Current versions of ProxySG or ASG will contact Domain Controllers (DCs) in the local AD. This feature is called "site awareness". Site awareness was added to avoid any network related issues between sites when contacting to remote DCs which would result in performance problems. If the site has only a Read-Only Domain Controller, the ProxySG would contact the Read-Only DC as it also belongs to the same local AD site as the ProxySG. Joining the ProxySG or ASG to the domain would then fail since Read-Write DCs are required, but not available locally.
Earlier SGOS versions would worked because the ProxySG or ASG would contact remote DCs in addition to local DCs during joining process.
In SGOS versions 220.127.116.11, 18.104.22.168, 22.214.171.124 and 126.96.36.199, and later introduce a parameter to toggle site awareness behavior now present in previous SGOS versions in order to allow the ProxySG or ASG to join remote domains if required.
From the CLI:
en conf t security windows-domains site-aware disable
By default site awareness is enabled that is, the ProxySG or ASG would query only local DCs from a specific Active Directory Site. However once site awareness is disabled, the ProxySG or ASG would revert to previous behavior and query all sites for DCs during joining process which would alleviate this issue.
A workaround would be to downgrade to SGOS 188.8.131.52 or SGOS 184.108.40.206 and below. Another would be to introduce a Read-Write DC to the local site.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe