Overview

 What should I do if I get an error message that says the DXi has not joined a Windows domain?

1. Synchronize the clock. Select Configuration > System > Date & Time.
2. If the join still fails, check the /var/log/messages file. Look for a message that says a stronger authentication is required, indicating this is perhaps a Windows security policy issue.
3. Expand <Domain_Name>, right-click Default Domain Policy. Then select Edit… to open Group Policy Object Editor and change the Group Policy
4. Expand Windows Settings, and expand Security Settings.
5. Expand Local Policies and select Security Options. Notice that LDAP server requires signing.

Note: Windows AD uses Policy-based management. Security settings in Policy-based management could prevent DXi from successfully joining the AD Domain

6. Requiring signing in environments where clients do not support LDAP signing or where client-side LDAP signing is not enabled on the client is considered risky or harmful configuration.
    

Reasons to Enable This Setting
Unsigned network traffic is susceptible to man-in-the-middle attacks where an intruder captures packets between the client and the server, modifies the packets, and then forwards them to the server. When this behavior occurs on an LDAP server, an attacker could cause a server to make decisions that are based on false queries from the LDAP client. You can lower this risk in a corporate network by implementing strong physical security measures to help protect the network infrastructure. Internet Protocol security (IPSec) authentication header mode can make man-in-the-middle attacks extremely difficult. Authentication header mode performs mutual authentication and packet integrity for IP traffic.

Reasons to Disable this Setting
Clients that do not support LDAP signing will not be able to carry out LDAP queries against domain controllers and against global catalogs if NTLM authentication is negotiated and if the correct service packs are not installed on Windows 2000 domain controllers.
Network traces of LDAP traffic between clients and servers will be encrypted, making it difficult to examine LDAP conversations
 

View/Modify the Security Policy settings from Group Policy Management console (perform following steps to access console):

1. Select Administrative Tools > Active Directory Users and Computers.
2. Right-click <Domain_Name>, select Properties, click Group Policy tab.
3. Click Open to display Group Policy Management console.
4. Expand <Domain_Name>, right-click Default Domain Policy.
5. Select Edit… to open Group Policy Object Editor. Check Enforce for Group Domain Policy to override Local Security Policy settings.
6. Expand Windows Settings, expand Security Settings.
7. Expand Local Policies, select Security Options.
8. Enable LDAP Signing. Select Configuration > NAS > Advanced Setting. Select Enable LDAP Signing. Then look in the command line entry in /snfs/common/galaxy-config/nas/smb.conf.extra to make sure it says:
   client ldap sasl wrapping = plain (disabled)
   client ldap sasl wrapping = sign (enabled)
9. Select Administrative Tools > Active Directory Users and Computers.
10. Select Computers to view DXi joined to AD Domain.
11. “Verify from DXI” net ads commands also available.

Resources

For more information, review the Active Directory Hot Topic.