From SGOS 6.5.2.x onwards, IWA-Direct supports the option of providing a “Preferred” and an “Alternate” Domain Controllers to which proxy will open Schannel Connections for NTLM Credential Validation.
Whenever the “Preferred” DC is online, ProxySG will use it to process the NTLM requests. If it is not online, then the SG will use the alternate DC. When the Preferred DC comes back online, Proxy will switch back to it. If both Preferred and Alternate DCs are not online, Proxy will fall back to the normal DC selection method based on the LDAP Ping response.
Settings for this can be found at WebUI > Configuration > Authentication > Windows Domain and click on Edit by selecting the IWA-Direct realm you want to set.