I spent a few hours today trying to figure out why the AD tools (AD Users & Computer, AD Sites & Services, etc) were not working on an Exchange 2010 server, running on Windows 2008 R2, today. The odd thing was that Exchange was working fine but the following errors were being generated in the Application log about every five minutes.
Event ID: 6003
Source: MSExchange SACL Watcher
SACL Watcher servicelet encountered an error while monitoring SACL change.
Got error 1722 opening group policy on system wfsad02.company.local in domain company.
DCDIAG was also failing on multiple tests, see “DCDIAG results” at the end of this post. The odd thing was that DCDIAG test were working fine against DC outside of the AD Site the Exchange server was in.
After running multiple tests from different servers this server was the only one having these issues. So I then decided to check some NIC settings and discovered the issue:
The above settings would be OK if this NIC was being used for iSCSI communications. But for client traffic ALL of the above should be checked\enabled. For DAG replication traffic TCP/IPv4, TCP/IPv6, and the two Link-Layer options should also be checked.
So to break the AD tools and cause DCDIAG errors just uncheck these options. After doing this you won’t find much help searching for the errors as I found out. So I wrote this post to hopefully help others who have a misconfigured NIC on a Windows server.
DCDIAG results
Testing server: WFS\WFSAD01
Starting test: Advertising
Fatal Error:DsGetDcName (WFSAD01) call failed, error 1722
The Locator could not find the server.
……………………. WFSAD01 failed test Advertising
Starting test: SysVolCheck
[WFSAD01] An net use or LsaPolicy operation failed with error 1231,
The network location cannot be reached. For information about network troubleshooting, see Windows Help..
……………………. WFSAD01 failed test SysVolCheck
Starting test: MachineAccount
Could not open pipe with [WFSAD01]:failed with 1231:
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
Starting test: NetLogons
[WFSAD01] An net use or LsaPolicy operation failed with error 1231,
The network location cannot be reached. For information about network troubleshooting, see Windows Help..
……………………. WFSAD01 failed test NetLogons
Starting test: Services
Could not open Remote ipc to [WFSAD01.company.local]: error 0x4cf
“The network location cannot be reached. For information about network troubleshooting, see Windows Help.”
……………………. WFSAD01 failed test Services
Running enterprise tests on : company.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1722
A Global Catalog Server could not be located – All GC’s are down.
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1722
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1722
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1722
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1722
A KDC could not be located – All the KDCs are down.
……………………. company.local failed test LocatorCheck
- Note: Per KB2512643 the DFSREvent, FrsEvent, KccEvent, & SystemLog “The RPC server in unavailable” expected when Windows Firewall is enabled on DCs
- I skipped these test using the following command, so their results were not included in the above DCDIAG output:
dcdiag /s:wfsad02 /e /skip:kccevent /skip:systemlog /skip:DFSREvent /skip:FrsEvent
This page got me thinking in a totally different way after running down rabbit holes, and that led to the solution of a problem I have been researching for days. The components you referenced above were not enabled on my server either, and that led to RPC issues in my SBS 2008 to Windows 2016 migration. I ended up uninstalling Hyper-V (which never should have been installed on SBS 2008 to begin with) to return to one physical adapter with everything enabled. Thank you so much! Now I can move on with my life. 🙂
LikeLike
Did you have to restart in order for the changes to take effect ? I just tried this and don’t see any difference.
LikeLike