Domain admin accounts are protected.
Can you verify if the account has an attribute called adminCount and if it is set to 1 ?
The adminCount attribute is found on user objects in Active Directory. This is a very simple attribute. If the value is or 0 then the user is not protected by the SD Propagation. If the value of adminCount is set to 1 that means the user has, or has been a member of a protected group. The value can be seen in ADUC or ADSIEdit or LDP.
If adminCount is not set you can enable logging on the IQService to get a more in dept error message. See IQTrace Logs - not tracked for information to enable logging fro IQService.
– Remold