3.4.4.2.3.1.9 ActiveDirectoryDomain/Forest

The Forest element contains the FQDN (2) of the forest of which the domain is a member.

 <xs:element name="Forest" nillable="true" type="xs:string" />

The Forest element is populated from the crossRef!dnsRoot attribute on the domain crossRef object ([MS-ADTS] section 6.1.1.2.1.1.4) which meets the following criteria:

• The crossRef!ncName attribute is equal to the rootDSE!rootDomainNamingContext attribute and the client has access rights to read the attributes.

• The crossRef!systemFlags attribute's FLAG_CR_NTDS_NC and FLAG_CR_NTDS_DOMAIN bits are set to 1 and the client has access rights to read the attribute. See [MS-ADTS] section 6.1.1.2.1.1.

• The crossRef!Enabled attribute is not present, is not equal to FALSE, or cannot be read due to the client lacking access rights to read the attribute.

If no crossRef objects satisfy the above requirements, the server returns the SOAP fault described in section 3.4.4.2.8.1. If multiple crossRef objects satisfy the above requirements, then only one of the crossRef object MUST be chosen, but any of the objects MAY be chosen<33> in constructing the response. If the crossRef!dnsRoot attribute on the chosen crossRef object satisfying the above requirements has multiple values, then only one of the values MUST be chosen, but any of the values MAY be chosen<34> to populate the element.  If the crossRef!dnsRoot attribute on the chosen crossRef object satisfying the above requirements is not present or cannot be read due to the client lacking access rights to read the attribute, the server returns a null ActiveDirectoryDomain/Forest element.