3.4.5.5.6 Calling NetrServerGetTrustInfo

msdn link

The client MUST do the following:

After the method returns, the client MUST verify the ReturnAuthenticator, as defined in section 3.1.4.5.

On receiving STATUS_ACCESS_DENIED, the client SHOULD<124> reestablish the secure channel with the domain controller.