A trusted forest information entry was added
On this page
This event is logged cross-forest trust relationships are created or modified. You will get several of these events per trust.
Windows stores trust relationships as Trusted Domain Objects (see events 4706, 4707, 4716) but cross-forest trusts require extra information stored in several entries in the TDO's Forest Trust Information attribute (aka FTInfo). FTInfo includes the all namespaces that a trusted forest manages, with other fields that indicate whether each claim is actually trusted by the trusting (this) forest.
This event, 4865, documents creation of each of such entries. You can link all the entries created at one time by the Operation ID:.
Not all elements are filled in for each entry type.
The ID and logon session of the user that created the entry.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
The elements in the Forest Trust Information entry.
- Forest Root: The DNS name of the forest root domain of the other forest in this trust relationship.
- Forest Root SID: The SID of the Forest Root: - usually translated to the pre-Win2k domain name.
- Operation ID: allows you to correlate all the events that are part of this operation
- Entry Type:
||This record identifies a domain (Top Level Name below) of the trusted forest that this forest trusts.
||This record identifies a domain (Top Level Name below) of the trusted forest that this forest does not trust (excluded)
This record contains an LSA_FOREST_TRUST_DOMAIN_INFO structure which includes
- Flags: seems to always be 0
- Top Level Name: The domain that is trusted or untrusted (excluded) see Entry Types 0 and 1 above.
- DNS Name: see see LSA_FOREST_TRUST_DOMAIN_INFO above
- NetBIOS Name: see LSA_FOREST_TRUST_DOMAIN_INFO above
- Domain SID: see LSA_FOREST_TRUST_DOMAIN_INFO above
Top 10 Windows Security Events to Monitor
A trusted forest information entry was added.
Security ID: ACME-FR\administrator
Account Name: administrator
Account Domain: ACME-FR
Logon ID: 0x20f9d
Forest Root: mtg.local
Forest Root SID: MTG\
Operation ID: 0x3669eb
Entry Type: 0
Top Level Name: mtg.local
DNS Name: -
NetBIOS Name: -
Domain SID: NULL SID
Keep me up-to-date on the Windows Security Log.
*We will NOT share this