Edge SWG (ProxySG) is not able to join AD domain on SGOS versions 6.5.10.6, 6.6.5.8, 6.7.2.1 or higher.
You have only RODCs in your local site defined by AD in which the Edge SWG (ProxySG) belongs.
A change in Edge SWG (ProxySG)OS was made where Edge SWG (ProxySG) will only contact Domain Controllers (DCs) in its local Active Directory (AD) site where Edge SWG (ProxySG) belongs. This change was introduced to address latency and firewall related issues on Edge SWG (ProxySG) when it contacts DCs in remote geographical locations. With this change, Edge SWG (ProxySG) will not be able to join the AD domain if its local AD site includes only Read-Only Domain Controllers (RODC). Read-Write Domain Controllers (RWDC) are required for Edge SWG (ProxySG) to join a domain. This worked in prior versions since the Edge SWG (ProxySG) could contact other RWDCs in remote locations.
This issue will be fixed in a patch release for SGOS 6.5 targeted for January 2018, SGOS 6.6 patch targeted for February 2018, and in SGOS 6.7.4.1.
There will be a new CLI configuration setting for Active Directory Site Awareness under "security windows-domains" called "site-aware" which will have the options (enable|disable).
From the CLI:
en
conf t
security windows-domains
site-aware disable
By default it is enabled. If disabled, we simply don't return a site name for the domain even if one exists. So, disabling site-aware should fix this issue.
Workaround : Configure at least one RWDC in the local AD site where SG belongs.