How to break the AD tools with incorrect NIC settings


I spent a few hours today trying to figure out why the AD tools (AD Users & Computer, AD Sites & Services, etc) were not working on an Exchange 2010 server, running on Windows 2008 R2, today. The odd thing was that Exchange was working fine but the following errors were being generated in the Application log about every five minutes.

Event ID: 6003

Source: MSExchange SACL Watcher

SACL Watcher servicelet encountered an error while monitoring SACL change.

Got error 1722 opening group policy on system wfsad02.company.local in domain company.

DCDIAG was also failing on multiple tests, see “DCDIAG results” at the end of this post. The odd thing was that DCDIAG test were working fine against DC outside of the AD Site the Exchange server was in.

After running multiple tests from different servers this server was the only one having these issues. So I then decided to check some NIC settings and discovered the issue:

The above settings would be OK if this NIC was being used for iSCSI communications. But for client traffic ALL of the above should be checked\enabled. For DAG replication traffic TCP/IPv4, TCP/IPv6, and the two Link-Layer options should also be checked.

So to break the AD tools and cause DCDIAG errors just uncheck these options. After doing this you won’t find much help searching for the errors as I found out. So I wrote this post to hopefully help others who have a misconfigured NIC on a Windows server.

DCDIAG results

Testing server: WFS\WFSAD01

Starting test: Advertising

Fatal Error:DsGetDcName (WFSAD01) call failed, error 1722

The Locator could not find the server.

……………………. WFSAD01 failed test Advertising

Starting test: SysVolCheck

[WFSAD01] An net use or LsaPolicy operation failed with error 1231,

The network location cannot be reached. For information about network troubleshooting, see Windows Help..

……………………. WFSAD01 failed test SysVolCheck

Starting test: MachineAccount

Could not open pipe with [WFSAD01]:failed with 1231:

The network location cannot be reached. For information about network troubleshooting, see Windows Help.

Could not get NetBIOSDomainName

Failed can not test for HOST SPN

Failed can not test for HOST SPN

Starting test: NetLogons

[WFSAD01] An net use or LsaPolicy operation failed with error 1231,

The network location cannot be reached. For information about network troubleshooting, see Windows Help..

……………………. WFSAD01 failed test NetLogons

Starting test: Services

Could not open Remote ipc to [WFSAD01.company.local]: error 0x4cf

“The network location cannot be reached. For information about network troubleshooting, see Windows Help.”

……………………. WFSAD01 failed test Services

Running enterprise tests on : company.local

Starting test: LocatorCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722

A Global Catalog Server could not be located – All GC’s are down.

Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722

A Primary Domain Controller could not be located.

The server holding the PDC role is down.

Warning: DcGetDcName(TIME_SERVER) call failed, error 1722

A Time Server could not be located.

The server holding the PDC role is down.

Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722

A Good Time Server could not be located.

Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722

A KDC could not be located – All the KDCs are down.

……………………. company.local failed test LocatorCheck

  • Note: Per KB2512643 the DFSREvent, FrsEvent, KccEvent, & SystemLog “The RPC server in unavailable” expected when Windows Firewall is enabled on DCs
  • I skipped these test using the following command, so their results were not included in the above DCDIAG output:
    dcdiag /s:wfsad02 /e /skip:kccevent /skip:systemlog /skip:DFSREvent /skip:FrsEvent

About jasonsherry

I am a 20 year Exchange consultant and expert. I currently work for Commvault as a Solutions Specialist for Microsoft Infrastructure For more info see my resume at: http://jasonsherry.org
This entry was posted in Exchange, Microsoft, Technical and tagged , . Bookmark the permalink.

One Response to How to break the AD tools with incorrect NIC settings

  1. George Smithers says:

    This page got me thinking in a totally different way after running down rabbit holes, and that led to the solution of a problem I have been researching for days. The components you referenced above were not enabled on my server either, and that led to RPC issues in my SBS 2008 to Windows 2016 migration. I ended up uninstalling Hyper-V (which never should have been installed on SBS 2008 to begin with) to return to one physical adapter with everything enabled. Thank you so much! Now I can move on with my life. 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s