Checking domain health
You run Windows domain diagnostic tests on a SteelHead in the Reports > Diagnostics: Domain Health Check page.
The RiOS Windows domain health check executes a variety of tests that provide diagnostics about the status of domain membership, both manual and automatic constrained delegation, and DNS resolution. This information enables you to resolve issues quickly.
Before running domain diagnostic delegation tests, choose Optimization > Active Directory: Auto Config or Optimization > Active Directory: Service Accounts to configure a Windows user account that you can use for delegation purposes. The Windows domain health check on the SteelHead doesn’t create the delegate user; the Windows domain administrator must create the account in advance. For details, see
About Active Directory easy configuration.
You run domain health tests under Reports > Diagnostics: Domain Health Check.
Test DNS
Checks SteelHead DNS settings, which must be correct for Windows domain authentication, SMB signing, SMB2/3 signing, and encrypted MAPI optimization. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
• Domain/Realm—Specify the fully qualified Active Directory domain in which the SteelHead is a member. Typically, this is your company domain name.
• Test DNS—Click to run the test. The Management Console dims this button until you specify the domain name.
Test Join
Confirms that the SteelHead is correctly joined to the Windows domain by verifying that the domain join configuration of the SteelHead is valid on the backend domain controller in Active Directory. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
• Test Join—Click to run the test.
Test Delegation Setup
Checks whether an account has the necessary Active Directory privileges for delegation or automatic delegation. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
• Delegation Domain/Realm—Select the fully qualified domain in which the SteelHead is a member. Typically, this is your company domain name.
• Domain Controller—Specify the host that provides user login service in the domain.
• Test Delegation Setup—Click to run the test. The Management Console dims this button until you specify all required information.
Test Delegation Privileges
Confirms delegation privileges for a particular server by verifying that the correct privileges are set to perform constrained delegation. Within SMB signing, SMB2/3 signing, and encrypted MAPI in delegation mode, the SteelHead and the AD environment must have correct privileges to obtain Kerberos tickets for the CIFS or Exchange Server and perform the subsequent authentication. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
• Delegation Domain/Realm—Select the domain in which the SteelHead is a member. Typically, this is your company domain name.
• Server—Specify a delegate server hostname.
• Server IP—Specify the delegate server IP address.
• Service—Select either CIFS or Exchange MDB.
• Account to Delegate—Specify a domain username.
• Test Delegation Privileges—Click to run the test. The Management Console dims this button until you specify all required information.
Test NTLM Authentication
Tests whether NTLM can successfully authenticate a user to the joined domain. A test status appears for the most recent test run: Passed, Failed, or Undetermined.
• Username—Specify an Active Directory domain username.
• Password—Specify a password.
• Domain/Realm—Specify the fully qualified domain of the Active Directory in which the SteelHead is a member. Typically, this is your company domain name.
• Short Domain Name—Specify the short domain (NetBIOS) name if it doesn’t match the first portion of the Active Directory domain name. Case matters; NBTTECH isn’t the same as nbttech.
• Test NTLM Authentication—Click to run the test. The Management Console dims this button until you specify all required information.
Common domain health errors
This section describes common problems that can occur when joining a Windows domain.
System time mismatch
The number one cause of failing to join a domain is a significant difference in the system time on the Windows domain controller and the SteelHead. When the time on the domain controller and the SteelHead don’t match, this error message appears:
lt-kinit: krb5_get_init_creds: Clock skew too great
We recommend using NTP time synchronization to synchronize the client and server clocks. It is critical that the SteelHead time is the same as on the Active Directory controller. Sometimes an NTP server is down or inaccessible, in which case there can be a time difference. You can also disable NTP if it isn’t being used and manually set the time. You must also verify that the time zone is correct. For details, see
About the date and time settings.
Select the primary DNS IP address to view the Networking > Networking: Host Settings page.
Invalid domain controller IP
A domain join can fail when the DNS server returns an invalid IP address for the Domain Controller. When a DNS misconfiguration occurs during an attempt to join a domain, these error messages appear:
Failed to join domain: failed to find DC for domain <domain name>
Failed to join domain: No Logon Servers
Additionally, the Domain Join alarm triggers and messages similar to these appear in the logs:
Oct 13 14:47:06 bravo-sh81 rcud[10014]: [rcud/main/.ERR] - {- -} Lookup for bravo-sh81.GEN-VCS78DOM.COM Failed
Oct 13 14:47:06 bravo-sh81 rcud[10014]: [rcud/main/.ERR] - {- -} Failed to join domain: failed to find DC for domain GEN-VCS78DOM.COM
When you encounter this error, choose Networking > Networking: Host Settings and verify that the DNS settings are correct.