Creating trusts (as follow up to…)

So I was wondering the following, how do all the domain controllers know that the trust is established, since (see previous post) we cannot accurately say which domain controller is being used..

When we have the same problem with user passwords, the PDC gives the vote whether the password (just changed) for the user is valid. The same seems to apply for Trusts. When running a trace while creating the trust on a “regular” domain controller and not the PDC, we can find out how that is accomplished. For this, I have installed a domain controller called MICHDC01 which is on the (newly created) LAKES site.

When creating the trust we see all the traffic as expected, and then after the SMB connection to the domain controller to the other forest we see a call to the local domain PDC (or root domain PDC I would suspect in a forest trust scenario with more domains).

Source: 172.16.5.197

Destination: OCEANDC01

Protocol: LSAD

Description: LSAD:LsarOpenPolicy2 Request, Target Computer: oceandc01.oceanfloor.local, DesiredAccess: 0x00000029,

A reply follows from the OCEANDC01 that the connection is open and available

Source: OCEANDC01

Destination: 172.6.5.197

Protocol: LSAD

Description: LSAD:LsarOpenPolicy2 Response, PolicyHandle: {00000000-337F1540-55EC-7A48-8EBB-5233C3687456}, Status = 0x00000000 – STATUS_SUCCESS

And then the magic happens (sort of), the regular domain controller instructs the PDC to create an External trust

Source: 172.16.5.197

Destination: OCEANDC01

Protocol: LSAD

Description: LSAD:LsarCreateTrustedDomainEx2 Request, 0x1, DesiredAccess: , PolicyHandle: {00000000-337F1540-55EC-7A48-8EBB-5233C3687456}

TrustDirection: 0x00000003

TrustType: 0x00000002 – TRUST_TYPE_UPLEVEL – Trust is for Windows 2000 and Windows Server 2003

Information: FORESTROOT.local, FORESTROOT, S-1-5-21-1179639219-2084100482-3483183152 Unknown SID

So we see, the PDC does have a role within the creation of trusts, but NOT related to the agreement between the two PDC’s of the domains. After the creation of the trust, it looks like urgent or immediate replication takes place to inform all the domain controllers.