ProxySG unable to join the Windows domain if Active Directory (AD) local site has only Read-Only Domain Controllers (RODCs)
Last Updated April 05, 2019
ProxySG is not able to join AD domain on SGOS versions 220.127.116.11, 18.104.22.168, 22.214.171.124 or higher.
You have only RODCs in your local site defined by AD in which the ProxySG belongs.
A change in SGOS was made where ProxySG will only contact Domain Controllers (DCs) in its local Active Directory (AD) site where SG belongs. This change was introduced to address latency and firewall related issues on ProxySG when it contacts DCs in remote geographical locations. With this change, ProxySG will not be able to join the AD domain if its local AD site includes only Read-Only Domain Controllers (RODC). Read-Write Domain Controllers (RWDC) are required for ProxySG to join a domain. This worked in prior versions since the SG could contact other RWDCs in remote locations.
This issue will be fixed in a patch release for SGOS 6.5 targeted for January 2018, SGOS 6.6 patch targeted for February 2018, and in SGOS 126.96.36.199.
There will be a new CLI configuration setting for Active Directory Site Awareness under "security windows-domains" called "site-aware" which will have the options (enable|disable).
By default it is enabled. If disabled, we simply don't return a site name for the domain even if one exists. So, disabling site-aware should fix this issue.
Workaround : Configure at least one RWDC in the local AD site where SG belongs.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe