That port 9997 is not being used by another application.
the local firewall settings on the AD are set up properly. e.g. iptables
Splunk versions are compatible between indexer and forwarder
I would also do a packet trace on both the splunk server and the AD machine to confirm that there's no packet loss or strange behaviour from the AD. You can compare it to a packet trace on a machine that works properly to see if there's any discrepancies.