3.5.4.7.4 NetrGetForestTrustInformation (Opnum 44)

  • Article

The NetrGetForestTrustInformation method SHOULD<230> retrieve the trust information for the forest of which the member's domain is itself a member. 

 NTSTATUS NetrGetForestTrustInformation(
   [in, unique, string] LOGONSRV_HANDLE ServerName,
   [in, string] wchar_t* ComputerName,
   [in] PNETLOGON_AUTHENTICATOR Authenticator,
   [out] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
   [in] DWORD Flags,
   [out] PLSA_FOREST_TRUST_INFORMATION* ForestTrustInfo
 );

ServerName: The custom binding handle, as defined in section 3.5.4.1.

ComputerName: The null-terminated Unicode string that contains the client computer NetBIOS name.

Authenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the client authenticator.

ReturnAuthenticator: A pointer to a NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5, that contains the server return authenticator.

Flags: MUST be set to zero and MUST be ignored on receipt.

ForestTrustInfo: A pointer to an LSA_FOREST_TRUST_INFORMATION structure, as specified in [MS-LSAD] section 2.2.7.25, that contains data for each forest trust.

Return Values: The method returns 0x00000000 on success; otherwise, it returns a nonzero error code.

On receiving this call, the server MUST perform the following validation steps:

  • Apply Common Error Processing Rule A, specified in section 3.

  • Using the ComputerName for the secure channel to find the corresponding record in the ClientSessionInfo table, verify the Authenticator parameter (section 3.1.4.5). If the Authenticator parameter is valid, compute the ReturnAuthenticator parameter returned (section 3.1.4.5). Otherwise, the server MUST return STATUS_ACCESS_DENIED.

  • Ensure that the caller is a DC in a different domain by checking that the SecureChannelType from ChallengeTable is TrustedDnsDomainSecureChannel or TrustedDomainSecureChannel. For all other types, this call MUST return STATUS_NOT_IMPLEMENTED.

  • Apply Common Error Processing Rule B, specified in section 3, to the ServerName parameter.

The forest trust information for the domain hosted by ServerName MUST be returned.

This method SHOULD only be called by a machine that has established a secure channel with the server.