https://kb.netapp.com/support/index?page=content&id=1012918

Which basically says - try pointing your filer at a writable DC.

That's difficult, for a variety of reasons - not least because this is an isolated network segment, and the vfiler is in it's own IP space.

Does anyone know a better way of joining the domain? On a standalone Linux/Windows box, I can manually create machine accounts and set necessary passwords.

The firewall is run by a separate team, and so temporary rules for this purpose is a nuisance. (Probably not _completely_ impossible though).

Has anyone done this and come up with a better solution? The 'domain join' process isn't _that_ complicated, in that all it's doing is generating a local kerberos keytab and setting a local shared secret.  

Thanks and regards,
Ed Rolison