While using Control Compliance Suite (CCS) 11.x, during asset import and/or update jobs, the "machine is domain controller" value is incorrectly reported as FALSE for a domain controller type asset.

no error message as such but you could enable verbose logging and review the Symantec.CSM.LDAPDataCollector.{date&time}.csv logs to see the UserAccountControl values it finds for each asset it processes.
 

CCS determines and sets the "machine is domain controller" value accordingly by looking at the assets LDAP attribute named: "UserAccountControl". By default this value is for a Domain Controller "532480" and finding this value will result in "machine is domain controller" = TRUE. If it finds any other value it will report  "machine is domain controller" = TRUE.

In some instances this value is reported as "532512" on domain controllers - this is an incorrect value and set due to a defect in the DCpromo procedure. 

CCS determines and sets the "machine is domain controller" value accordingly by looking at the systems' LDAP attribute named: "UserAccountControl". By default this value is for a Domain Controller "532480" but for the 4 systems you have identified it's "532512"

Contact your Active Directory administrator and discuss the situation, domain controllers should have an"UserAccountControl" value of "532480"  and nothing else. You can use ADSIedit to update the value.