When joining a SteelHead to a Windows domain, follow a few key guidelines to ensure a successful connection. First, synchronize the SteelHead’s time with the domain time, keeping it within 5 minutes for NTLM authentication or 30 seconds for Kerberos. Using an NTP server helps keep the SteelHead’s time accurate. Make sure the Primary (management) interface is connected to the LAN and has access to DNS, NTP, and Active Directory, as all domain functions use this interface.

For DNS configuration, verify that both A and reverse lookup records exist for the SteelHead’s primary interface. Set the Active Directory DNS server on the SteelHead to enable domain controller lookups. Add the domain suffix (for example, domain.riverbed.com) to the DNS Settings section on the Networking > Host Settings page. Also, ensure that Windows clients use this DNS server. To support SMB signing, the server-side SteelHead must be resolvable via DNS.

If unauthorized domain join attempts occur, configure the SteelHead to ignore trusted domains and explicitly specify only the desired domains. The SteelHead hostname must be 15 characters or fewer, and the FQDN should match what’s configured for all Windows clients. Before joining the domain, make sure the SteelHead’s hostname doesn’t already exist in the Active Directory. If it's in an Organizational Unit (OU) instead of the default container, check there.

For RiOS 9.5 and earlier, SMB1 (CIFS) must be enabled on the domain controller. RiOS 9.6 and later support SMB2/3. Joining the domain for Kerberos requires a Windows user with permission to add a workstation; NTLM requires permission to add a domain controller. Don’t use a limited user account—use one that can assign the SteelHead to the correct group or OU and update the userAccountControl attribute. Domain admin credentials are not stored on the SteelHead after the join is complete.

When specifying the domain username, enter just the username (for example, username), not the domain prefix (for example, DOMAIN\username). If using a non-admin Windows account, precreate a computer account for the SteelHead and assign extra privileges.

For Kerberos in restricted trust environments (such as Office 365 or managed service providers), use a one-way trust configuration and ensure the required ports are open to all domain controllers. (For more detailed steps, see the SteelHead Deployment Guide - Protocols or these related Knowledge Base articles: S25759, S27002, S30252, S22468, S18097.)