6.1.6.9.7 Initialization
Despite being replicated normally between peer DCs in a domain, the process of creating or manipulating TDOs is specifically restricted to the LSA Policy APIs, as detailed in [MS-LSAD] section 3.1.1.5. Unlike other objects in the DS, TDOs cannot be created or modified by client machines over the LDAPv3 transport. TDOs can be deleted by client machines over the LDAPv3 transport.
The following trust manipulation remote procedure calls specifically target TDOs and are responsible for creating the special properties detailed in section 6.1.6.7. All are documented in [MS-LSAD] section 3.1.4.
LsarCreateTrustedDomainEx()
LsarDeleteTrustedDomain()
LsarSetTrustedDomainInfoByName()
LsarSetTrustedDomainInformation()
The preceding APIs enforce the following restrictions.
Each TDO corresponds to exactly one trusted domain. The FQDN (2), SID, and NetBIOS name set on the TDO all reference the same domain.
The server verifies that the trust is pointing either to a domain within the forest or a domain outside the forest. The check is performed by verifying whether any other domain within the forest has the SID, DNS name, or NetBIOS name matching the information being set. One of two options is legal:
SID, DNS name, and NetBIOS name all match the same domain within the forest.
No SID, DNS name, or NetBIOS name matches any domain within the forest.
Any other alternative (some information pointing inside the forest and some outside, or information pointing at different domains within the forest) is illegal and causes the server to fail the request.
An attempt by the requester to set the TRUST_ATTRIBUTE_FOREST_TRANSITIVE bit in the trust attributes of the trusted domain object can only succeed if the domain is in a forest functional level of DS_BEHAVIOR_WIN2003 or greater and the server is a domain controller in the root domain of the forest. Failing this, the server rejects the request and does not create the TDO.
An attempt by the requester to set the TRUST_ATTRIBUTE_CROSS_ORGANIZATION bit in the trust attributes of the trusted domain object can only succeed if the domain is in a forest functional level of DS_BEHAVIOR_WIN2003 or greater. Failing this, the server rejects the request and does not create the TDO.
Neither TRUST_ATTRIBUTE_FOREST_TRANSITIVE nor TRUST_ATTRIBUTE_CROSS_ORGANIZATION bits are compatible with the TRUST_ATTRIBUTE_WITHIN_FOREST bit. The server rejects invalid combinations of trust attributes and does not create the TDO.
Uplevel or downlevel trusts that have TRUST_DIRECTION_OUTBOUND as one of the direction bits cannot have a SID of NULL. Attempts to set this combination of parameters cause the server to fail the request.
If the TRUST_ATTRIBUTE_FOREST_TRANSITIVE bit is cleared from a TDO's trustAttributes attribute, all of the forest trust information on that TDO is removed from the TDO's msDS-TrustForestTrustInfo attribute.