6.1.6.9.4 Computation of trustPosixOffset

When a new TDO is created, a POSIX offset is computed and assigned to the new TDO's trustPosixOffset attribute. This is done by retrieving the values of the trustPosixOffset attribute of all of the existing outgoing Windows trusts (both TRUST_TYPE_UPLEVEL and TRUST_TYPE_DOWNLEVEL). These values are then sorted. Finally, the range of numbers is searched starting from 1, looking for the next unused valid POSIX offset. The selection process excludes the following values, which are reserved for well-known identities.

Value	Description
0x0800	Reserved for built-in domain
0x4000	Reserved for account domain
0xC000	Reserved for primary domain

The selection process only happens on the DC that possesses the PDC FSMO role. If the trust creation happens on another DC the trustPosixOffset value is set to 0 and is computed using the logic above when the TDO replicates to the PDC FSMO role owner. This keeps TDOs from having matching POSIX offsets, which could result in collisions of UIDS and GIDS.