Sdílet prostřednictvím

3.1.4.7.16.1 Forest Trust Collision Generation

  • Článek

This section describes the rules that the server MUST follow to compute a set of collisions when setting forest trust information on a trusted domain object.

Forest trust information across all trusted forests is always internally consistent. This is an invariant that the server MUST enforce. When new forest trust information is added to the server's policy database, the server MUST ensure that the overall forest trust information remains consistent. The server does so by disabling the entries in the new forest trust information structure that would violate this internal consistency. The server communicates the entries that are inconsistent with existing forest trust information back to the client by computing and returning a set of "collision entries".

The rules that govern consistency of forest trust information are specified in [MS-ADTS] section 6.1.6 and are listed here for convenience. To be exact, there are two sets of rules, one for top-level name entries, and one for domain information entries.

The rules for top-level name entries are as follows:

  • An enabled (that is, non-conflict) top-level name record must not be equal to an enabled top-level name for another trusted domain object or to any of the DNS tree names within the current forest. Equality is computed using case-insensitive string comparison. If the strings differ only by one trailing '.' character, the difference is ignored.

  • The top-level name must not be subordinate to an enabled top-level name for another trusted domain object, unless the other trusted domain object has a corresponding exclusion record.

  • A top-level name must not be superior to an enabled top-level name for another trusted domain object, unless the current trusted domain object has a corresponding exclusion record.

If any of these rules are violated, a top-level name is considered in conflict. In this case, a collision record is generated with the following values:

Index: Ordinal number of a forest trust record supplied by the caller that generated the collision.

Type: CollisionTdo or CollisionXref, depending on whether the collision was caused by an external-to-forest domain or an internal-to-forest domain.

Flags: LSA_TLN_DISABLED_CONFLICT

Name: DNS name of the TDO that contained the forest trust information with which this entry has collided.

The rules for domain information entries are as follows:

  • The security identifier of this entry must not be equal to that of an enabled domain information entry belonging to a different forest or any of the domains that comprise the current forest.

  • The NetBIOS name of this entry must not be claimed by any other forest with which this forest has a trust relationship or by any domain within the current forest.

  • The DNS name of this entry must not be claimed by any other forest with which this forest has a trust relationship or by the current forest.

If any of these rules are violated, a domain information entry is considered to be in conflict. In this case, a collision record is generated with the following values:

Index: Ordinal number of a forest trust record supplied by the caller that generated the collision.

Type: CollisionTdo or CollisionXref, depending on whether the collision was caused by an external-to-forest or internal-to-forest domain.

Flags: LSA_SID_DISABLED_CONFLICT if the collision was caused by a security identifier component of the record. LSA_NB_DISABLED_CONFLICT if the collision was caused by a NetBIOS name component of the record.

Entries that have been disabled by administrative action or through conflict are not considered in computing consistency checks.