kmaule Absent Member.
Absent Member.
733 views

NSS for AD: NIT and Trusted Domains not finding Inter-Forest

Hi there,
We are running OES 2015 SP1 with NSS for AD working for primary domain. We have a two-way trusts with four other domains.
The Novell Identity Translator (NIT) successfully discovers three out of the four but not the one with an attribute of TrustAttributes=72. TrustAttributes=8 are OK.
TrustAttributes= 72 is equivalent of: "Forest Trust" + "Inter-Forest Trust". Are we out of luck or can this parameter be changed to accept value of 72?

per
http://carlwebster.com/finding-domain-trusts-active-directory-forest-using-microsoft-powershell/

1 { $TrustAttributes = "Non-Transitive"}
2 { $TrustAttributes = "Uplevel clients only (Windows 2000 or newer"}
4 { $TrustAttributes = "Quarantined Domain (External)"}
8 { $TrustAttributes = "Forest Trust"}
16 { $TrustAttributes = "Cross-Organizational Trust (Selective Authentication)"}
32 { $TrustAttributes = "Intra-Forest Trust (trust within the forest)"}
64 { $TrustAttributes = "Inter-Forest Trust (trust with another forest)"}

The queries that NIT uses are:

[NIT_LDAP]: Retrieve_And_Process_Trusts: Base dn for finding the trusts:CN=System,DC=XXX,DC=YYY,DC=ZZZ, srch_filter=(&(objectClass=TrustedDomain)(TrustDirection=3)(TrustAttributes=8)), trustType=1


[NIT_LDAP]: Retrieve_And_Process_Trusts: Base dn for finding the trusts:CN=System,DC=XXX,DC=YYY,DC=ZZZ, srch_filter=(&(objectClass=TrustedDomain)(TrustDirection=3)(TrustAttributes=4)), trustType=2
Labels (2)
0 Likes
1 Reply
Highlighted
kmaule Absent Member.
Absent Member.

Re: NSS for AD: NIT and Trusted Domains not finding Inter-Fo

Found a better reference for this attribute trustAttributes:
https://msdn.microsoft.com/en-us/library/cc223779.aspx

The following comprise decimal value of 72 = 0x00000048

TAFT
(TRUST_ATTRIBUTE_FOREST_TRANSITIVE)
0x00000008
If this bit is set, the trust link is a cross-forest trust [MS-KILE] between the root domains of two forests, both of which are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.
Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.


TATE
(TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL)
0x00000040
If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently filtered than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [MS-PAC] section 4.1.2.2.
Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
Only evaluated if SID Filtering is used.
Only evaluated on cross-forest trusts having TRUST_ATTRIBUTE_FOREST_TRANSITIVE.
Can only be set if forest and trusted forest are running in a forest functional level of DS_BEHAVIOR_WIN2003 or greater.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.