3.5.4.7.1 DsrEnumerateDomainTrusts (Opnum 40)

  • Article

The DsrEnumerateDomainTrusts method SHOULD<227> return an enumerated list of domain trusts, filtered by a set of flags, from the specified server. 

 NET_API_STATUS DsrEnumerateDomainTrusts(
   [in, unique, string] LOGONSRV_HANDLE ServerName,
   [in] ULONG Flags,
   [out] PNETLOGON_TRUSTED_DOMAIN_ARRAY Domains
 );

ServerName: The custom binding handle, as defined in section 3.5.4.1.

Flags: A set of bit flags that specify properties that MUST be true for a domain trust to be part of the returned domain name list. A flag is TRUE (or set) if its value is equal to 1. Flags MUST contain one or more of the following bits.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

F

E

D

C

B

A

Where the bits are defined as:

Value

Description

A

Domain is a member of the forest.

B

Domain is directly trusted by this domain.

C

Domain is the root of a domain tree in the forest.

D

Domain is the primary domain of the queried server.

E

Primary domain is running in native mode.

F

Domain directly trusts this domain.

All other bits MUST be set to zero.

Domains: A pointer to a NETLOGON_TRUSTED_DOMAIN_ARRAY structure, as specified in section 2.2.1.6.3, that contains a list of trusted domains.

Return Values: The method returns 0x00000000 on success; otherwise, it SHOULD return one of the following error codes.

Return Value/Code

Description

0x0000051F

ERROR_NO_LOGON_SERVERS

There are currently no logon servers available to service the logon request.

0x000006FA

ERROR_NO_TRUST_LSA_SECRET

The workstation does not have a trust secret.

0x000006FB

ERROR_NO_TRUST_SAM_ACCOUNT

The security database on the server does not have a computer account for this workstation trust relationship.

On receiving this call, the server MUST perform the following validation step:

  • The Flags parameter MUST be checked to verify that at least one of the valid bits is set. All other bits (0-24) MUST be zero. The server MUST return ERROR_INVALID_FLAGS if there are invalid bits present.

If the ServerName parameter is not NULL, it is compared against the server's computer name. If the ServerName parameter does not match the server's computer name, the server MUST return ERROR_INVALID_COMPUTERNAME. If the ServerName parameter matches the server's computer name or the ServerName parameter is NULL, then processing proceeds.

If the server is not a DC (section 3.1.4.8), the server calls NetrLogonGetDomainInfo to a DC in its domain, with the following parameters:

  • The WkstaBuffer parameter is a NETLOGON_WORKSTATION_INFO (section 2.2.1.3.6) structure with the following elements:

    • NETLOGON_WORKSTATION_INFO.LsaPolicy.LsaPolicySize is set to 0.

    • NETLOGON_WORKSTATION_INFO.LsaPolicy.LsaPolicy is set to NULL.

    • NETLOGON_WORKSTATION_INFO.WorkStationFlags has the A flag set.

    • NETLOGON_WORKSTATION_INFO.DnsHostName set to the DNS computer name.

  • Level MUST be set to 0x1.

If the server is a domain controller (section 3.1.4.8), it MUST perform behavior equivalent to locally invoking NetrLogonGetDomainInfo with the previously defined parameters.

If the call returns any other error code other than STATUS_SUCCESS, then the server MUST return that error code and no further processing occurs.

If the call returns STATUS_SUCCESS, the server MUST use the returned domains in the DomBuffer.TrustedDomains parameter to build and return an array of DS_DOMAIN_TRUSTSW structures from the NETLOGON_ONE_DOMAIN_INFO structures as follows:

  • If the primary domain is determined to not be running in mixed mode ([MS-ADTS] section 6.1.4.1), and the E bit is set in the Flags parameter, the server MUST include the primary domain (DomBuffer.PrimaryDomain) in the returned array.

  • For each element of DomBuffer.TrustedDomains, if the bitwise AND of the Flags parameter and the DomBuffer.TrustedDomains.TrustExtension.Flags (Flags & DomBuffer.TrustedDomains.TrustExtension[0-3]) is true, the server MUST include the domain in the returned array.

  • For each element to be included in the returned array, each field in the NETLOGON_ONE_DOMAIN_INFO structure listed in the first column of the following table is copied to the field of the DS_DOMAIN_TRUSTSW structure listed on the same line in the second column:

    NETLOGON_ONE_DOMAIN_INFO element

    DS_DOMAIN_TRUSTSW element

    DomainName

    NetBiosDomainName

    DnsDomainName

    DnsDomainName

    DomainGuid

    DomainGuid

    DomainSid

    DomainSid

    Bytes 0 – 3 of TrustExtension

    Flags

    Bytes 4 – 7 of TrustExtension

    ParentIndex

    Bytes 8 – 11 of TrustExtension

    TrustType

    Bytes 12 – 15 of Trust Extension

    TrustAttributes