Share via

3.1.1.3 Trusted Domains and Forests Information

  • Article

The Local Security Authority (LSA) Domain Policy database, as specified in [MS-LSAD], contains trust information for a given domain and forest. Of all the information that it manages for trusts, only the following conceptual columns are of interest to this protocol:

  • Trusted Domain DNS Name: The DNS name of the trusted domain.

  • Trusted Domain NetBIOS Name: The NetBIOS name of the same domain.

  • Domain SID: The SID of the same domain.

  • Trust Direction: Indicates whether the trust is inbound, outbound, or both.

  • Trust Type: Type of the trust.

  • Trust Attributes: Additional characteristics of the trust.

  • Forest Trust Information: Attributes of this trust as it pertains to the forest.

In the Active Directory, Trusted Domain DNS Name is stored in the trustPartner attribute, Trusted Domain NetBIOS Name in flatName, Trust Direction in trustDirection, Trust Type in trustType, Trust Attributes in trustAttributes as a bitmask, and Forest Trust Information in msDs-trustForestTrustInfo.

Trust information that satisfies the following criteria MUST be used by this protocol:

  • Trust Type is a Windows trust, which means that the trusted party is a Windows domain, as specified in [MS-LSAD]. A Windows trust is represented by a value of 0x0000002 in the trustType attribute. Trust Attributes can declare a trust to be a forest trust by having the 0x00000008 bit set in the trustAttributes attribute, as specified in [MS-LSAD]. For more information, see [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].

  • Trust Direction is outbound or bidirectional, as specified in [MS-LSAD].

The NetBIOS and DNS names of the trusted domain can be used to locate a domain NC "replica" for that domain by using a domain controller locator algorithm, an example of which is described in [MS-ADOD] sections 2.7.7.3.1 and 3.1.1.

The trust attributes declare the trust to be a forest trust, as specified in [MS-LSAD] section 3.1.1.5, if and only if the following conditions are met:

  • The trusted domain information satisfies the preceding criteria.

  • The trusted domain information is in the root domain of the forest.

If the trust attributes declare the trust to be a forest trust, the Forest Trust Information column contains information about the trusted forest. Specifically, this information consists of a domain name, a domain DNS name, and the domain SID of all domains in the forest, as well as top-level names, including UPN suffixes for user principal names, as specified in [MS-ADTS] section 6.1.6 and [MS-LSAD] section 3.1.1.5.