How to change Forest Functional Level and Domain Level?

Note:

Make sure you have Enterprise Admin account/permission to run this command and run the PowerShell as Admin. 

If you run into error that you can’t bring up a new Domain Controller due to Operating System is not in the suitable forest functional level, this solution could help you out. RODC is not accepted to run these commands.

I am not sure whether does this require FSMO roles to make the changes towards these functional levels. Hence, I run these commands on the Primary domain controller.

  1. Login to your existing domain controller using an enterprise admin account
  2. Run the Windows PowerShell as Admin
  3. Type in the following command to change the forest functional level
    • #Get Forest level Info
      Get-ADForest
      
      #To Set the forest level
      Set-ADForestMode -ForestMode <Operating System Name>
      
      #Example: Set-ADForestMode -ForestMode Windows2012R2Forest
  4. Type the following command to change the domain level
    • #Get Domain level Info
      Get-ADDomain
      
      #To Set the forest level
      Set-ADDomainMode -DomainMode <Operating System Name>
      
      #Example: Set-ADDomainMode -DomainMode Windows2012R2Forest

 

Would recommend that you study on the difference between Forest Functional Level and Domain level. I would write a blog post about it soon!

 

Azure AD Connect: Error 8344 Permission Issue Insufficient Access Rights to Perform the Operation

If your sync service completed with error and the error code is shown below;

Error 8344: Permission Issue Insufficient Access Rights to Perform the Operation

It means that the service account that you used to add the domain during the wizard setup does not have the correct/necessary permissions.

In the wizard, is this part

Capture

Capture

Note:

Please do take note that this is only for Password Synchronization and Password Writeback, for further extend permission please review the references below.

Step by step;

  1. Provide the necessary permission to the service account
    • Add the service account into the Administrators Group (Built-in OU)
    • At the forest level > Properties > Security > Add > service account
      • Next, select the service account, scroll to the permission and check “Replicate Directory Changes All” and “Replicate Directory Change
      • Due to password writeback will be turn on too, another permission you have to give to this service account is the “Change Password” and “Reset Password” under the Advanced
        • Select the service account > Advanced > Select Add > Select Principal > Service account > Descendent User Objects > Check the box for “Change Password” and “Reset Password”
    • Save your changes
    • Refresh
  2. Head to your AADC server and rerun the synchronization
  3. Check the Sync status whether it is completed without error
  4. The End

 

References:

  1. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
  2. https://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-1/

 

Appendix:

  1. ADUC – Active Directory Users and Computers
  2. ADS – Active Directory Sync
  3. OU – Organization Unit
  4. AADC – Azure Active Directory Connect

What to take note when establishing trust between Domain Controllers?

Prerequisites to establish trust;

  1. Cannot be a Read-Only Domain Controller
  2. Both source and target domain controllers has to hold the PDC role to establish the trust.
    • Make sure you transfer the fsmo
  3. Both domain controllers must be able to ping each other
    • At target domain controller, Ping <source domain DNS>
    • Ping domain controller IP addresses
  4. Firewall are disable at both domain controllers
  5. Able to Nslookup each other domains

You will fail with an error if the prerequisites are not met;

“The secure channel verification on Active Directory Domain Controller <DC name> of domain <source domain> to <target domain> failed with error: The specified domain either does not exist or could not be contacted.”