DirectoryServicePortTest can't verify forest functional level

Question

Hi,
I just deployed an AD connector in AWS and it connects to my on-prem domain controllers. As part of verifying connectivity per AWS doc (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html#connect_verification), I remote into a VM on the subnet where the AD connector has ENI in and test with DirectoryServicePortTest.exe. The ports are open fine but it can't query the forest functional level. I am sure the DC/DNS I use to test is good and SRV records are there. [my-domain] is the fully qualified domain name and forest functional level is 2012R2 which meets the requirement.

```
C:\>DirectoryServicePortTest.exe -d [my-domain] -ip [my-dns] -tcp "53,88,389" -dup "53,88,389"
Testing forest functional level.
The domain [my-domain] could not be found.

Testing TCP ports to [my-dns]:
Checking TCP port 53: PASSED
Checking TCP port 88: PASSED
Checking TCP port 389: PASSED
```

Any suggestions on what might be the issue. Thanks.

Answer

Hello,

Thank you so much for your rePost question, my name is RJ an engineer that will be assisting with your inquiry.
In order for the directory services port test (DSPT) utility to validate the forest and domain functional levels, the tool must be used with an authenticated domain account. At this time, the DSPT utility does not accept credentials as parameters, and instead will use the security context of the current user.

That being said, ADConnector supports forest and domain functional levels at 2003+ or higher.

DirectoryServicePortTest can't verify forest functional level

Relevanter Inhalt