I added a child domain (ab.xyz.com) to an existing forest (xyz.com) in Active Directory Domain Services. Both domain controllers are running Windows Server 2012 R2.
I want to lower the child domain and forest functional level so that I can join another DC to the child domain which is running Windows Server 2008 R2. I followed these steps to lower the child domain and forest functional level. However, it doesn't work.
I entered
Set-ADForestMode -Identity “ab.xyz.com” -ForestMode Windows2008Forest
Set-ADDomainMode -Identity “ab.xyz.com” -DomainMode Windows2008Domain
But I got an error
Insufficient access right to perform this operation
When I am logging in as the administrator account of the child domain.
Can anyone give me some idea on how to lower the domain and forest functional level of my child domain?
Best Answer
You need enterprise admin rights in order to change the forest functional level.
Domain admin rights should be enough to change the functional level of a single domain, but it looks like this is not the case when lowering it, although I wasn't able to find any documentation for this.
Anyway, since you need to change both the forest and the domain level, just perform these operations using an enterprise admin account and they will work.
Also, beware of User Account Control; make sure to run your commands from an elevated PowerShell prompt.