Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

6.1.6.7.9 trustAttributes

Note: Some of the information in this section is subject to change because it applies to an unreleased, preliminary version of the Windows Server operating system, and thus may differ from the final version of the server software when released. All behavior notes that pertain to the unreleased, preliminary version of the Windows Server operating system contain specific references to Windows Server 2016 Technical Preview in the Product Behavior appendix.

The trustAttributes attribute contains the value of a trust relationship. This value corresponds to the TrustAttributes field detailed in the LSAPR_TRUSTED_DOMAIN_INFORMATION_EX structure ([MS-LSAD] section 2.2.7.9). The flags in the following diagram are presented in big-endian byte order.

0

1

2

3

4

5

6

7

8

9

1

0

1

2

3

4

5

6

7

8

9

2

0

1

2

3

4

5

6

7

8

9

3

0

1

R

R

R

R

R

R

R

R

O

O

R

R

R

R

R

R

R

R

R

R

R

T
A
P
T

T
A
N
C

R

T
A
R
C

T
A
T
E

T
A
W
F

T
A
C
O

T
A
F
T

T
A
Q
D

T
A
U
O

T
A
N
T

These flags have the following meaning.

Name and value

Description and restrictions/special notes

TANT

(TRUST_ATTRIBUTE_NON_TRANSITIVE)

0x00000001

If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage.

TAUO

(TRUST_ATTRIBUTE_UPLEVEL_ONLY)

0x00000002

If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. Netlogon does not consume trust objects that have this flag set.

TAQD

(TRUST_ATTRIBUTE_QUARANTINED_DOMAIN)

0x00000004

If this bit is set, the trusted domain is quarantined and is subject to the rules of SID Filtering as described in [MS-PAC] section 4.1.2.2.

TAFT

(TRUST_ATTRIBUTE_FOREST_TRANSITIVE)

0x00000008

If this bit is set, the trust link is a cross-forest trust [MS-KILE] between the root domains of two forests, both of which are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.

Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system.

Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.

TACO

(TRUST_ATTRIBUTE_CROSS_ORGANIZATION)

0x00000010

If this bit is set, then the trust is to a domain or forest that is not part of the organization. The behavior controlled by this bit is explained in [MS-KILE] section 3.3.5.7.5 and [MS-APDS] section 3.1.5.

Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.

Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.

TAWF

(TRUST_ATTRIBUTE_WITHIN_FOREST)

0x00000020

If this bit is set, then the trusted domain is within the same forest.

Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.

TATE

(TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL)

0x00000040

If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently filtered than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [MS-PAC] section 4.1.2.2.

Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.

Only evaluated if SID Filtering is used.

Only evaluated on cross-forest trusts having TRUST_ATTRIBUTE_FOREST_TRANSITIVE.

Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.

TARC

(TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION)

0x00000080

This bit is set on trusts with the trustType set to TRUST_TYPE_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([RFC4120], [RFC3961]). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [MS-KILE], so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section 6.1.6.9.1.

Only evaluated on TRUST_TYPE_MIT

TANC

(TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION)

0x00000200

If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [MS-KILE] section 3.3.5.7.5.

Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview.

TAPT

(TRUST_ATTRIBUTE_PIM_TRUST)

0x00000400

If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [MS-PAC] section 4.1.2.2.

Evaluated only on Windows Server 2016 Technical Preview

Evaluated only if SID Filtering is used.

Evaluated only on cross-forest trusts having TRUST_ATTRIBUTE_FOREST_TRANSITIVE.

Can be set only if the forest and the trusted forest are running in a forest functional level of DS_BEHAVIOR_WINTHRESHOLD or greater.

R

0x00000100

0x00000800 - 0x00200000

0x01000000 - 0x80000000

Reserved

O

0x00400000 - 0x00800000

Previously used trust bits, and are obsolete.

Show:
© 2015 Microsoft