The functions in the Trust category manage the trust relationships between domains and retrieve information about trust relationships.
|
Function |
Description |
|
Adds the domain to the list of the domains which are permitted to trust by the domain for which the specified server is a primary domain controller. |
|
|
Adds the domain to the list of the domains trusted by the domain for which the specified server is a primary domain controller. |
|
|
Deletes the domain from the list of the domains which are permitted to trust by the domain for which the specified server is a primary domain controller. |
|
|
Deletes the domain from the list of the domains trusted by the domain for which the specified server is a primary domain controller. |
|
|
Retrieves information about all domains for which the specified server is a domain controller. |
|
|
Retrieves information about all domains which are trusted by the domain for which the specified server is a domain controller. |
Trust relationships are links between domains which enable pass-through authentication. In a trust relationship, a user has only one account in one domain but still can access the entire network. Only Advanced Server and Windows NT Server computers can participate in trust relationships.
Establishing a trust relationship requires that two steps are performed in two different domains. Because the trust relationship is not yet established, it may be necessary for these two steps to be performed by separate administrators.
First one domain must permit a second domain to trust it (NetTrustAddPermittedToTrustDomain function can be used for this purpose). Then the second domain must be set to trust the first domain (NetTrustAddTrustedDomain function accomplishes this task).
Establishing a two-way trust relationship (where each domain trusts the other) requires that both steps be performed in both domains. Removing a trust relationship also requires two steps performed in two different domains: one domain must stop trusting a second domain (NetTrustDelTrustedDomain), and the second must stop permitting the first domain to trust it (NetTrustDelPermittedToTrustDomain).
Never remove a trust relationship by performing just one of the steps. When removing a trust relationship, always administer both domains.
To retrieve the information about all the domains which are permitted to trust or are trusted by a domain with the specified domain controller, NetTrustEnumPermittedToTrustDomains and NetTrustEnumTrustedDomains functions can be used.
The following is an example of establishing a one-way trust relationship between DOMAIN1 and DOMAIN2, with the primary domain controllers named ASU1 and ASU2. As a result, DOMAIN2 will trust DOMAIN1:
First, the administrator of DOMAIN1 should permit DOMAIN2 to trust this domain by making the following call:
NetStatus = NetTrustAddPermittedToTrustDomain(
ASU1,
DOMAIN2,
Password
);
where Password is the password for this trust relationship chosen by the administrator of DOMAIN1.
Next, the administrator of DOMAIN2 should add DOMAIN1 to the list of the domains it trusts:
NetStatus = NetTrustAddTrustedDomain(
ASU2,
DOMAIN1,
Password
);
where Password is the one which was set by the administrator of the other domain for this trust relationships (the administrator of DOMAIN2 must obtain this password from the administrator of DOMAIN1).
The removal of such trust relationship should proceed in a reverse order:
First, the administrator of DOMAIN2 should delete DOMAIN1 from the list of the domains it trusts:
NetStatus = NetTrustDelTrustedDomain(
ASU2,
DOMAIN1
);
Then, the administrator of DOMAIN1 should delete DOMAIN2 from the list of the domains it permitted to trust:
NetStatus = NetTrustDelPermittedToTrustDomain(
ASU1,
DOMAIN2
);
The level parameter controls the level of information returned from NetTrustEnumPermittedToTrustDomains and NetTrustEnumTrustedDomains. These functions use level 0 or 1 data structures.
The DOMAIN_INFO_0 data structure has the following format:
typedef struct _DOMAIN_INFO_0 {
LPTSTR domain0_name;
} DOMAIN_INFO_0, *PDOMAIN_INFO_o, *LPDOMAIN_INFO_0;
Within this structure, domain0_name is an ASCIIZ string containing the name of a domain.
The DOMAIN_INFO_1 data structure has the following format:
typedef struct _DOMAIN_INFO_1 {
LPTSTR domain1_name;
PSID domain1_sid;
} DOMAIN_INFO_1, *PDOMAIN_INFO_1, *LPDOMAIN_INFO_1;
Within this structure, the following parameters have been defined:
domain1_name is an ASCIIZ string containing the name of a domain.
domain1_sid points to a domain’s security identifier (SID).