DirectoryServicePortTest can't verify forest functional level


Hi, I just deployed an AD connector in AWS and it connects to my on-prem domain controllers. As part of verifying connectivity per AWS doc (, I remote into a VM on the subnet where the AD connector has ENI in and test with DirectoryServicePortTest.exe. The ports are open fine but it can't query the forest functional level. I am sure the DC/DNS I use to test is good and SRV records are there. [my-domain] is the fully qualified domain name and forest functional level is 2012R2 which meets the requirement.

C:\>DirectoryServicePortTest.exe -d [my-domain] -ip [my-dns] -tcp "53,88,389" -dup "53,88,389"
Testing forest functional level.
The domain [my-domain] could not be found.

Testing TCP ports to [my-dns]:
Checking TCP port 53: PASSED
Checking TCP port 88: PASSED
Checking TCP port 389: PASSED

Any suggestions on what might be the issue. Thanks.

asked 5 months ago39 views
1 Answer


Thank you so much for your rePost question, my name is RJ an engineer that will be assisting with your inquiry. In order for the directory services port test (DSPT) utility to validate the forest and domain functional levels, the tool must be used with an authenticated domain account. At this time, the DSPT utility does not accept credentials as parameters, and instead will use the security context of the current user.

That being said, ADConnector supports forest and domain functional levels at 2003+ or higher.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions