I spent a few hours today trying to figure out why the AD tools (AD Users & Computer, AD Sites & Services, etc) were not working on an Exchange 2010 server, running on Windows 2008 R2, today. The odd thing was that Exchange was working fine but the following errors were being generated in the Application log about every five minutes.

Event ID: 6003

Source: MSExchange SACL Watcher

SACL Watcher servicelet encountered an error while monitoring SACL change.

Got error 1722 opening group policy on system wfsad02.company.local in domain company.

DCDIAG was also failing on multiple tests, see “DCDIAG results” at the end of this post. The odd thing was that DCDIAG test were working fine against DC outside of the AD Site the Exchange server was in.

After running multiple tests from different servers this server was the only one having these issues. So I then decided to check some NIC settings and discovered the issue:

The above settings would be OK if this NIC was being used for iSCSI communications. But for client traffic ALL of the above should be checked\enabled. For DAG replication traffic TCP/IPv4, TCP/IPv6, and the two Link-Layer options should also be checked.

So to break the AD tools and cause DCDIAG errors just uncheck these options. After doing this you won’t find much help searching for the errors as I found out. So I wrote this post to hopefully help others who have a misconfigured NIC on a Windows server.

DCDIAG results

Testing server: WFS\WFSAD01

Starting test: Advertising

Fatal Error:DsGetDcName (WFSAD01) call failed, error 1722

The Locator could not find the server.

……………………. WFSAD01 failed test Advertising

Starting test: SysVolCheck

[WFSAD01] An net use or LsaPolicy operation failed with error 1231,

The network location cannot be reached. For information about network troubleshooting, see Windows Help..

……………………. WFSAD01 failed test SysVolCheck

Starting test: MachineAccount

Could not open pipe with [WFSAD01]:failed with 1231:

The network location cannot be reached. For information about network troubleshooting, see Windows Help.

Could not get NetBIOSDomainName

Failed can not test for HOST SPN

Failed can not test for HOST SPN

Starting test: NetLogons

[WFSAD01] An net use or LsaPolicy operation failed with error 1231,

The network location cannot be reached. For information about network troubleshooting, see Windows Help..

……………………. WFSAD01 failed test NetLogons

Starting test: Services

Could not open Remote ipc to [WFSAD01.company.local]: error 0x4cf

“The network location cannot be reached. For information about network troubleshooting, see Windows Help.”

……………………. WFSAD01 failed test Services

Running enterprise tests on : company.local

Starting test: LocatorCheck

Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722

A Global Catalog Server could not be located – All GC’s are down.

Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722

A Primary Domain Controller could not be located.

The server holding the PDC role is down.

Warning: DcGetDcName(TIME_SERVER) call failed, error 1722

A Time Server could not be located.

The server holding the PDC role is down.

Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722

A Good Time Server could not be located.

Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722

A KDC could not be located – All the KDCs are down.

……………………. company.local failed test LocatorCheck

• Note: Per KB2512643 the DFSREvent, FrsEvent, KccEvent, & SystemLog “The RPC server in unavailable” expected when Windows Firewall is enabled on DCs
• I skipped these test using the following command, so their results were not included in the above DCDIAG output:
  dcdiag /s:wfsad02 /e /skip:kccevent /skip:systemlog /skip:DFSREvent /skip:FrsEvent