3.1.4.7.18 LsarQueryForestTrustInformation2 (Opnum 132)
The LsarQueryForestTrustInformation2 method is invoked to retrieve information about a trust relationship with another forest.<110>
-
NTSTATUS LsarQueryForestTrustInformation2( [in] LSAPR_HANDLE PolicyHandle, [in] PLSA_UNICODE_STRING TrustedDomainName, [in] LSA_FOREST_TRUST_RECORD_TYPE HighestRecordType, [out] PLSA_FOREST_TRUST_INFORMATION2* ForestTrustInfo2 );
PolicyHandle: An RPC context handle obtained from either the LsarOpenPolicy (section 3.1.4.4.2) or LsarOpenPolicy2 (section 3.1.4.4.1) method.
TrustedDomainName: The name of the trusted domain to query.
HighestRecordType: The highest ordinal number of forest trust record type that the caller understands.
ForestTrustInfo2: Used to return the forest trust information.
Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.
|
Return value/code |
Description |
|---|---|
|
0x00000000 STATUS_SUCCESS |
The request was successfully completed. |
|
0xC0000022 STATUS_ACCESS_DENIED |
The caller does not have the permissions to perform this operation. |
|
0xC000000D STATUS_INVALID_PARAMETER |
One of the supplied arguments was invalid. |
|
0xC00000DD STATUS_INVALID_DOMAIN_STATE |
The domain is in the wrong state for this operation. |
|
0xC00000DF STATUS_NO_SUCH_DOMAIN |
The TrustedDomainName is not a recognized domain name. |
|
0xC0000008 STATUS_INVALID_HANDLE |
PolicyHandle is not a valid handle. |
|
0xC0000225 STATUS_NOT_FOUND |
Forest trust information does not exist for this trusted domain object. |
Processing instructions:
This message takes four arguments:
PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. PolicyHandle.GrantedAccess MUST NOT be considered for this call because the access check MUST happen on the trusted domain object.
TrustedDomainName: The name of the trusted domain object to query.
The server MUST return STATUS_INVALID_DOMAIN_STATE if any of the following conditions are TRUE:
The DnsForestName and DnsDomainName fields in DNS Domain Information (section 3.1.1.1) do not contain the same value.
The forestFunctionality specified in [MS-ADTS] section 3.1.1.3.2.27 is not DS_BEHAVIOR_WIN2003 or higher.
Active Directory is not running on this machine.
If a trusted domain object named TrustedDomainName does not exist, the server MUST return STATUS_NO_SUCH_DOMAIN.
HighestRecordType: The caller sets this argument to the highest LSA_FOREST_TRUST_RECORD_TYPE enum value (section 2.2.7.22) recognized by the caller.
ForestTrustInfo2: Used to return the forest trust information associated with the trusted domain object. This corresponds to the Forest Trust Information abstract data model specified in section 3.1.1.5. If any of the forest trust info records in the data model are of a type that is greater than HighestRecordType, these records MUST be returned to the caller as ForestTrustBinaryInfo records.
If the trusted domain object is not of the type that supports a forest trust (as determined by the presence or absence of the TRUST_ATTRIBUTE_FOREST_TRANSITIVE attribute), the server MUST return STATUS_INVALID_PARAMETER. If the forest trust information does not exist on a trusted domain object that otherwise can support a forest trust, the server MUST return STATUS_NOT_FOUND.
The server MUST verify that the caller has access to the trusted domain object as specified in section 3.1.4.2.1 with DesiredAccess set to TRUSTED_QUERY_AUTH (section 2.2.1.1.5). There is no method-specific portion of this check.