The ProxySG or Advanced Secure Gateway(ASG) is unable to join the Active Directory(AD) domain after upgrading to SGOS versions 6.5.10.6, 6.6.5.5, 6.7.2.1 or higher.

"NERR_DCNotFound" error would popup upon joining domain.

Current versions of ProxySG or ASG will contact Domain Controllers (DCs) in the local AD Site where ProxySG belongs to, if AD site is configured. This feature is called "site awareness". Site awareness was added to avoid any network related issues between sites when contacting to remote DCs which would result in performance problems. If the site has only a Read-Only Domain Controller, the ProxySG would contact the Read-Only DC as it also belongs to the same local AD site as the ProxySG.  Joining the ProxySG or ASG to the domain would then fail since Read-Write DCs are required, but not available locally.

Earlier SGOS versions would worked because the ProxySG or ASG would contact remote DCs in addition to local DCs during joining process.

In SGOS versions 6.5.10.8, 6.6.5.13, 6.7.3.11 and 6.7.4.107, and later introduce a parameter to toggle site awareness behavior now present in previous SGOS versions in order to allow the ProxySG or ASG to join remote domains if required.

From the CLI:

en
conf t
security windows-domains
site-aware disable

By default site awareness is enabled that is, the ProxySG or ASG would query only local DCs from a specific Active Directory Site. However once site awareness is disabled, the ProxySG or ASG would revert to previous behavior and query all sites for DCs during joining process which would alleviate this issue.

Another workaround would be to introduce a Read-Write DC to the local AD site.