Audit Security Privileges

We have Exchange 2010 running and want to have 2013 in co-existence.

Installation of Exchange 2013 went smooth. Mailbox role server name- MBX and client access server name CAS. After the installation I couldn't access ECP- it was giving"The service is temporarily unavailable. Please try again in a few minutes" error. Event log had event id 2112:

Process Microsoft.Exchange.Directory.TopologyService.exe (PID=2276). The Exchange computer DC1.sub.organization.net does not have Audit Security Privilege on the domain controllerDC1.sub.organization.net. This domain controller will not be used by Exchange Active Directory Provider.

Message was repeated for every domain controller.

The first question. DC1 (and others) is not the exchange computer. It is domain controller.Why event log is saying that it is the Exchange Computer?

Digging further... Exchange Active Directory Topology service (2080) discovered the following characteristics:

 (Server name | Roles | Enabled | Reachability | Synchronized | GC capable | PDC | SACL right | Critical Data | Netlogon | OS Version)       
In-site:
DC1.organization.net    CDG 1 7 7 1 0 1 1 7 1
DC2.organization.net    CDG 1 7 7 1 0 1 1 7 1
DC1.sub.organization.net    CDG 1 7 7 1 0 0 1 7 1       
Out-of-site:
DC2.sub.organization.net    CDG 1 7 7 1 0 0 1 7 1
DC3.sub.organization.net    CDG 1 7 7 1 0 0 1 7 1
DC4.sub.organization.net    CDG 1 7 7 1 0 0 1 7 1
DC5.sub.organization.net    CDG 1 7 7 1 0 0 1 7 1

Well, previous event log, probably, makes sense, as it doesn't have SACL right. So I run setup with /PrepareDomain switch. That fixes SACL forDC1.sub.organization.net controller and I can login to ECP or start Exchange Management Powershell without issues. But after a few hours (random number) SACL value is restored to 0 and I'm having problems logging to ECP or starting Exchange Management Powershell. Running /PrepareDomain temporarily fixes the problem again... What is going on? Why SACL is being restored?

Also, seems like policytest utility is removed from 2013 installation. Tried using from the 2010- it ends up withlookupaccountname returned error 1332.

Tahnks, guys, for any ideas!