Trusted Domain Objects

  • Article

Trusts are represented by trustedDomain objects, which reside in the System container of each domain. The properties of these objects describe the type and features of the trust.

image

However, the actual trustType property of the object specifies a type for each trust.

· Value 1: Downlevel trust. This trust is with a Windows NT domain (being external).

· Value 2: Uplevel (Windows 2000 or later) trust. This trust is with an Active Directory domain (being parent-child, root domain, shortcut, external, or forest).

· Value 3: MIT. This trust is with a (non-Windows) MIT Kerberos version 5 realm.

· Value 4: DCE. This trust is with a DCE realm. DCE refers to Open Group's Distributed Computing Environment specification. This trust type is mainly theoretical.

image

The other meaningful properties of trustedDomain objects are the following:

· trustPartner: For Active Directory domains, this is the DNS name of the partner domain. For Windows NT trusted domains, this is the NetBIOS name of the partner domain. For non-Windows trusted domains, this is the name of the partner Kerberos realm.

image

· flatName: For Windows trusted domains, this is the NetBIOS name of the partner domain. For non-Windows trusted domains, this is the name of the partner domain or it is NULL.

image

· trustDirection: 0 = disabled, 1 = incoming (i.e., trusting domain), 2 = outgoing (i.e., trusted domain), 3 = both directions.

image

· trustAttributes: (hexadecimal values in AD2003) 1 = the trust is nontransitive; 2 = the trust is valid only for Windows 2000 (and newer) computers; 4 = the domain is quarantined (that is, SID filtering is enabled); 8 = the trust is a forest trust; 10 = the trust is a cross-organization trust (that is, selective authentication is being used); 20 = the trust is internal to the forest; 40 = the trust is a forest trust where EnableSIDHistory is on (see the corresponding NetDom option in Help and Support).

· trustAttributes: (hexadecimal values in AD2000) 1 = the trust is nontransitive; 2 = the trust is valid only for Windows 2000 (and newer) computers; 40 0000 = the trust is to the parent domain; 80 0000 = the trust is to another tree root domain in the forest.

image