Export (0) Print
Expand All

1.1 Glossary

The following terms are defined in [MS-GLOS]:

88 object class
abstract class
abstract object class
access check
access control entry (ACE)
access control list (ACL)
access mask
account domain
ACID
ambiguous name resolution (ANR)
ancestor object
attribute syntax
AttributeStamp
authentication
authorization
auxiliary object class
back link attribute
back link value
backup domain controller (BDC)
big-endian
binary large object (BLOB)
bridgehead domain controller (bridgehead DC)
broadcast
canonical name
checksum
claim
code page
Component Object Model (COM)
constructed attribute
container
control access right
Coordinated Universal Time (UTC)
critical object
cyclic redundancy check (CRC)
digest
directory service (DS)
discretionary access control list (DACL)
distinguished name (DN)(4)
domain
domain name (3)
Domain Name System (DNS)
downlevel trust
endpoint
expunge
forward link value
FSMO role owner
full NC replica
fully qualified domain name (FQDN) (1) (2)
garbage collection
global catalog (GC)
global catalog server (GC server)
globally unique identifier (GUID)
group
Group Policy
GUIDString
inheritance
Lightweight Directory Access Protocol (LDAP)
LDAP connection
link attribute
link value
LinkValueStamp
local domain controller (local DC)
Lost and Found container
marshal
Messaging Application Programming Interface (MAPI)
mixed mode
multi-valued claim
name service provider interface (NSPI)
native mode
nonreplicated attribute
NULL GUID
object of class x (or x object)
operational attribute
originating update
partial attribute set (PAS)
privilege (1)
property set
RDN attribute
remote procedure call (RPC)
replicated update
replication
replication latency
replication traffic
RPC transport
schema
schema container
schema object
security identifier (SID)
security principal
security provider
Server Message Block (SMB)
service principal name (SPN)
single-valued claim
Simple Mail Transfer Protocol (SMTP)
SSL/TLS handshake
structural object class
system access control list (SACL)
ticket-granting ticket (TGT)
Transmission Control Protocol (TCP)
trust object
trust secret
trusted domain object (TDO)
Unicode
universally unique identifier (UUID)
uplevel trust
User Datagram Protocol (UDP)
Windows error code

The following terms are defined in [MS-DTYP]:

organization

The following terms are specific to this document:

active: A state of an attributeSchema or classSchemaobject that represents part of the schema. It is possible to instantiate an activeattribute or an active class. The opposite term is defunct.

Active Directory: Either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). Active Directory is either deployed as AD DS or as AD LDS. This document describes both forms. When the specification does not refer specifically to AD DS or AD LDS, it applies to both.

Active Directory Domain Services (AD DS): AD DS is an operating system directory service (DS) implemented by a domain controller (DC). The DS provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS first became available as part of Microsoft Windows 2000 and is available as part of Windows 2000 Server products and Windows Server 2003 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. AD DS is not present in Windows NT 4.0 or in Windows XP. For more information, see [MS-AUTHSOD] section 1.1.1.5.2.

Active Directory Lightweight Directory Services (AD LDS): AD LDS is a directory service (DS) implemented by a domain controller (DC). The most significant difference between AD LDS and Active Directory Domain Services (AD DS) is that AD LDS does not host domain naming contexts (domain NCs). A server can host multiple AD LDSDCs. Each DC is an independent AD LDS instance, with its own independent state. AD LDS can be run as an operating system DS or as a directory service provided by a standalone application (ADAM).

application NC: A specific type of naming context (NC). An application NC cannot contain security principal objects in Active Directory domain services (AD DS) but can contain security principals in Active Directory Lightweight Directory Service (AD LDS). In AD DS or AD LDS, a forest can have zero or more application NCs.

attribute: (Note: This definition is a specialization of the "attribute" concept that is described in section 1, Introduction, under Pervasive Concepts.) An identifier for a single-valued or multi-valued data element that is associated with an object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (email addresses) can all be attributes of a user object. An attribute'sschema, including the syntax of its values, is defined in an attributeSchemaobject.

ATTRTYP: A 32-bit quantity representing an object identifier (OID). See [MS-DRSR] section 5.14.

auxiliary class: See auxiliary object class.

Basic Encoding Rules (BER): A specific set of rules for encoding data structures for transfer over a network. These encoding rules are defined in [ITUX690].

built-in domain: The security identifier (SID) namespace defined by the fixed SID S-1-5-32. Contains groups that define roles on a local machine such as "Backup Operators".

built-in domain SID: The fixed SID S-1-5-32.

child naming context (child NC): Given naming contexts (NCs) with their corresponding distinguished names (DNs) forming a child and parent relationship, the NC in the child relationship is referred as the child NC. The parent of a child NC must be an NC and is referred to as the parent naming context (parent NC).

child object, children: See section 1, Introduction, under Pervasive Concepts.

computer object: An object of classcomputer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.

configuration naming context (config NC): A specific type of NC or an instance of that type. A forest has a single config NC, which contains configuration information that is shared among all DC in the forest. A config NC cannot contain security principal objects.

crossRef object: An object of classcrossRef. Each crossRef object is a child of the Partitions container in the configuration naming context (Config NC). The class crossRef specifies the properties of a naming context (NC), such as its DNS name, operational settings, and so on.

cross-forest trust: A relationship between two forests that enables security principals from any domain in one forest to authenticate to computers joined to any domain in the other forest.

cycle: See replication cycle.

DC functional level: A specification of functionality available in a domain controller (DC). For AD DS, possible values are DS_BEHAVIOR_WIN2000 (for Windows 2000 Server DCs), DS_BEHAVIOR_WIN2003 (for Windows Server 2003 DCs), DS_BEHAVIOR_WIN2008 (for Windows Server 2008 DCs), DS_BEHAVIOR_WIN2008R2 (for Windows Server 2008 R2 DCs), DS_BEHAVIOR_WIN2012 (for Windows Server 2012 DCs), and DS_BEHAVIOR_WIN2012R2 (for Windows Server 2012 R2 DCs). For AD LDS, possible values are DS_BEHAVIOR_WIN2003 (for Windows Server 2003 DCs), DS_BEHAVIOR_WIN2008 (for Windows Server 2008 DCs), DS_BEHAVIOR_WIN2008R2 (for Windows Server 2008 R2 DCs), DS_BEHAVIOR_WIN2012 (for Windows Server 2012 DCs), and DS_BEHAVIOR_WIN2012R2 (for Windows Server 2012 R2 DCs).

default domain naming context (default domain NC): When Active Directory is operating as Active Directory Domain Services (AD DS), this is the default naming context (default NC) of the domain controller (DC). When operating as Active Directory Lightweight Directory Services (AD LDS), this NC is not defined.

default naming context (default NC): When Active Directory is operating as Active Directory Domain Services (AD DS), the default naming context (default NC) is the domain naming context (domain NC) whose full replica is hosted by a domain controller (DC), except when the DC is a read-only domain controller (RODC), in which case the default NC is a filtered partial NC replica. When operating as AD DS, the default NC contains the DC'scomputer object. When Active Directory is operating as AD LDS, the default NC is the naming context (NC) specified by the msDS-DefaultNamingContextattribute on the nTDSDSAobject for the DC. See nTDSDSA object.

default schema: The schema of a given version of Active Directory, as defined by [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3] for AD DS, and as defined by [MS-ADLS] for Active Directory Lightweight Directory Services (AD LDS).

defunct: A state of an attributeSchema or classSchemaobject that represents part of the schema. It is not possible to instantiate a defunctattribute or a defunctclass. The opposite term is active.

deleted-object: An object that has been deleted, but remains in storage until a configured amount of time (the deleted-object lifetime) has passed, after which the object is transformed to a recycled-object. Unlike a recycled-object or a tombstone, a deleted-object maintains virtually all the state of the object before deletion, and may be undeleted without loss of information. Deleted-objects exist only when the Recycle Binoptional feature is enabled.

deleted-object lifetime: The time period that a deleted-object is kept in storage before it is transformed into a recycled-object.

directory: A forest.

directory object (or object): A Lightweight Directory Access Protocol (LDAP)object[RFC2251], which is a specialization of the "object" concept that is described in section 1, Introduction, under Pervasive Concepts. An Active Directoryobject can be identified by a dsname according to the matching rules defined in [MS-DRSR] section 5.50, DSNAME.

directory service agent (DSA): A term from the X.500 directory specification [X501] that represents a component that maintains and communicates directory information.

DNS name: A fully qualified domain name (FQDN) (1).

domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DSDC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section 1.1.1.5.2. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDSDCs can run on one server. When Active Directory is operating as AD DS, only one AD DSDC can run on one server. However, several AD LDSDCs can coexist with one AD DSDC on one server. The AD LDSDC contains full NC replicas of the config NC and the schema NC in its forest.

domain functional level: A specification of functionality available in a domain. Must be less than or equal to the DC functional level of every domain controller (DC) that hosts a replica of the domain'snaming context (NC). Possible values in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 are DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, DS_BEHAVIOR_WIN2008, DS_BEHAVIOR_WIN2008R2, DS_BEHAVIOR_WIN2012, and DS_BEHAVIOR_WIN2012R2. See section 6.1.4.3 for information on how the domain functional level is determined. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), domain functional level does not exist.

domain joined: A relationship between a machine and some domain naming context (domain NC) in which they share a secret. The shared secret allows the machine to authenticate to a domain controller (DC) for the domain.

domain local group: An Active Directorygroup that allows user objects, global groups, and universal groups from any domain as members. It also allows other domain local groups from within its domain as members. A group object g is a domain local group if and only if GROUP_TYPE_RESOURCE_GROUP is present in g!groupType. A security-enabled domain local group is valid for inclusion within access control lists (ACLs) from its own domain. If a domain is in mixed mode, then a security-enabled domain local group in that domain allows only user objects as members.

domain naming context (domain NC): A specific type of naming context (NC), or an instance of that type. A domain NC can contain security principal objects. Domain NCs appear in the global catalog (GC). A domain NC is hosted by one or more domain controllers (DCs) operating as AD DS. In AD DS, a forest has one or more domain NCs. The root of a domain NC is an object of classdomainDNS. A domain NC cannot exist in AD LDS.

domain prefix: A domainsecurity identifier (SID), minus the relative identifier (RID) portion.

DSE: An acronym for a directory service agent (DSA)-specific entry.

DSA object: See nTDSDSA object.

DSA GUID: The objectGUID of a DSA object.

dsname: A tuple that contains between one and three identifiers for an object. The possible identifiers are the object'sglobally unique identifier (GUID) (attributeobjectGUID), security identifier (SID) (attributeobjectSid), and distinguished name (DN) (attributedistinguishedName). A dsname can appear in a protocol message and as an attribute value (for example, a value of an attribute with syntax Object(DS-DN)).

dynamic object: An object with a time-to-die, attributemsDS-Entry-Time-To-Die. The directory service (DS) garbage-collects a dynamic object immediately after its time-to-die has passed. The constructed attributeentryTTL gives a dynamic object's current time-to-live, that is, msDS-Entry-Time-To-Die minus the current system time. For more information, see [RFC2589].

entry: A synonym for object. See also the "object" concept that is described in section 1, Introduction, under Pervasive Concepts.

existing-object: An object that is not a tombstone, deleted-object, or recycled-object.

Extended-Rights container: A container holding objects that correspond to control access rights. The container is a child of configuration naming context (config NC) and has relative distinguished name (RDN) CN=Extended-Rights.

File Replication Service (FRS): One of the services offered by a domain controller (DC). The running/paused state of the FRS on a DC is available through protocols documented in section 6.3.

filter: One of the parameters in a Lightweight Directory Access Protocol (LDAP) search request. The filter specifies matching constraints for the candidate objects.

filtered attribute set: The subset of attributes that are not replicated to the filtered partial NC replica and the filtered GC partial NC replica. The filtered attribute set is part of the state of the forest and is used to control the attributes that replicate to a read-only domain controller (RODC). The searchFlagsschemaattribute is used to define this set.

filtered GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects. The attributes consist of the attributes in the GC partial attribute set (PAS), excluding those present in the filtered attribute set. A filtered GC partial NC replica is not writable.

filtered partial NC replica: An NC replica that contains all the attributes of the objects, excluding those attributes in the filtered attribute set. A filtered partial NC replica is not writable.

flexible single master operation (FSMO): A read or update operation on an naming context (NC), such that the operation must be performed on the single designated "master" replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term, pronounced "fizmo", is never used alone; see also FSMO role, FSMO role owner.

foreign principal object (FPO): A foreignSecurityPrincipalobject.

forest: For Active Directory Domain Services (AD DS), a set of naming contexts (NCs) consisting of one schema naming context (schema NC), one configuration naming context (config NC), one or more domain naming contexts (domain NCs), and zero or more application naming contexts (application NCs). Because a set of NCs can be arranged into a tree structure, a forest is also a set containing one or several trees of NCs. For AD LDS, a set of NCs consisting of one schema NC, one config NC, and zero or more application NCs. (In Microsoft documentation, an AD LDSforest is called a "configuration set".)

forest functional level: A specification of functionality available in a forest. It must be less than or equal to the DC functional level of every DC in the forest. For Active Directory Domain Services (AD DS), possible values in Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 are DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, DS_BEHAVIOR_WIN2008, DS_BEHAVIOR_WIN2008R2, DS_BEHAVIOR_WIN2012, and DS_BEHAVIOR_WIN2012R2. For AD LDS, the possible values in Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 are DS_BEHAVIOR_WIN2003, DS_BEHAVIOR_WIN2008, DS_BEHAVIOR_WIN2008R2, DS_BEHAVIOR_WIN2012, and DS_BEHAVIOR_WIN2012R2. See section 6.1.4.4 for information on how the forest functional level is determined.

forest root domain NC: For Active Directory Domain Services (AD DS), the domain naming context (domain NC) within a forest whose child is the forest'sconfiguration naming context (config NC). The DNS name of this domain serves as the forest name.

forward link attribute: A type of attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, a back link attribute, on other objects. A forward link attribute can exist with no corresponding back link attribute, but not vice versa.

FSMO role: A set of objects that can be updated in only one NC replica (the FSMO role owner'sreplica) at any given time.

FSMO role object: The object in the directory that represents a specific FSMO role. This object is an element of the FSMO role and contains the fSMORoleOwner attribute.

GC partial attribute set (PAS): The subset of attributes that replicate to a GC partial NC replica. The partial attribute set is part of the state of the forest and is used to control the attributes that replicate to global catalog servers (GC servers). The isMemberOfPartialAttributeSetschemaattribute is used to define this set.

GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of the attributes in the GC partial attribute set (PAS).

global group: An Active Directorygroup that allows user objects from its own domain and global groups from its own domain as members. Universal groups can contain global groups. A group object g is a global group if and only if GROUP_TYPE_ACCOUNT_GROUP is present in g!groupType. A global group that is also a security-enabled group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a global group in that domain that is also a security-enabled group allows only user object as members. See also domain local group, security-enabled group.

group object: An object of classgroup representing a group. A class group has a forward link attributemember; the values of this attribute represent either elements of the group (for example, objects of classuser or computer) or subsets of the group (objects of classgroup). The back link attributememberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not (and are, for instance, used to represent email distribution lists).

GUID-based DNS name: A DNS name published for a domain controller (DC). If a DC'sDSA GUID is "52f6c43b-99ec-4040-a2b0-e9ebf2ec02b8", and the forest root domain NC'sDNS name is "fabrikam.com", then the GUID-based DNS name of the DC is "52f6c43b-99ec-4040-a2b0-e9ebf2ec02b8._msdcs.fabrikam.com".

inbound trust: A trust relationship between two domains, from the perspective of the domain that is trusted to perform authentication.

interdomain trust account: An account that stores information associated with a domaintrust in the domain controllers (DCs) of the domain that is trusted to perform authentication.

intersite topology generator (ISTG): A domain controller (DC) within a given site that computes an NC replica graph for each NC replica on any DC in its site. This DC creates, updates, and deletes corresponding nTDSConnectionobjects for edges directed from NC replicas in other sites to NC replicas in its site.

invocationId: The invocationIdattribute. An attribute of an nTDSDSA object. Its value is a unique identifier for a function that maps from update sequence numbers (USNs) to updates to the NC replicas of a domain controller (DC). See also nTDSDSA object.

Knowledge Consistency Checker (KCC): An internal Windows component of the Active Directoryreplication used to create spanning trees for domain controller (DC)-to-DCreplication and to translate those trees into settings of variables that implement the replication topology.

LDAP ping: A specific Lightweight Directory Access Protocol (LDAP) search that returns information about whether services are live on a domain controller (DC).

lingering object: An object that still exists in an NC replica even though it has been deleted and garbage-collected from other replicas. This occurs, for instance, when a domain controller (DC) goes offline for longer than the tombstone lifetime.

mailslot: A form of datagram communication using the Server Message Block (SMB) protocol, as specified in [MS-MAIL].

mailslot ping: A specific mailslot request that returns information about whether services are live on a domain controller (DC).

most specific object class: In a sequence of object classes related by inheritance, the class that none of the other classes inherits from. The special object classtop is less specific than any other class.

naming context (NC): An NC is a set of objects organized as a tree. It is referenced by a DSName. The DN of the DSName is the distinguishedNameattribute of the tree root. The GUID of the DSName is the objectGUIDattribute of the tree root. The security identifier (SID) of the DSName, if present, is the objectSidattribute of the tree root; for Active Directory Domain Services (AD DS), the SID is present if and only if the NC is a domain naming context (domain NC). Active Directory supports organizing several NCs into a tree structure.

NC replica: A variable containing a tree of objects whose root object is identified by some naming context (NC).

NC replica graph: A directed graph containing NC replicas as nodes and repsFrom tuples as inbound edges by which originating updates replicate from each full replica of a given naming context (NC) to all other NC replicas of the NC, directly or transitively.

NetBIOS: A protocol family including name resolution, datagram, and connection services. For more information, see [RFC1001] and [RFC1002].

NetBIOS domain name: The name registered by domain controllerS (DCs) on [1C] records of the NBNS (WINS) server (see section 6.3.4). For details of NetBIOS name registration, see [MS-WPO] sections 7.1.4 and 10.4.

NetBIOS Name Service (NBNS): The name service for NetBIOS. For more information, see [RFC1001] and [RFC1002].

Netlogon: A component of Windows that authenticates a computer and provides other services. The running/paused state of Netlogon on a domain controller (DC) is available through protocols documented in section 6.3.

nTDSDSA object: An object of classnTDSDSA, representing a domain controller (DC) in the configuration naming context (config NC).

object: See section 1, Introduction, under Pervasive Concepts.

object class: See section 1, Introduction, under Pervasive Concepts.

object class name: The lDAPDisplayName of the classSchemaobject of an object class. This document consistently uses object class names to denote object classes; for example, user and group are both object classes. The correspondence between Lightweight Directory Access Protocol (LDAP) display names and numeric object identifiers (OIDs) in the Active Directoryschema is defined in the appendices of these documents: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].

object identifier (OID): A sequence of numbers in a format defined by [RFC1778].

object reference: An attribute value that references an object; reading a reference gives the distinguished name (DN) or full dsname of the object.

optional feature: A non-default behavior that modifies the Active Directory state model. An optional feature is enabled or disabled in a specific scope, such as a forest or a domain.

oriented tree: A directed acyclic graph such that for every vertex v except one (the root), there is a unique arc whose initial vertex is v. There is no arc whose initial vertex is the root. For more information, see [KNUTH1] section 2.3.4.2.

outbound trust: A trust relationship between two domains, from the perspective of the domain that trusts another domain to perform authentication.

parent naming context (parent NC): Given naming contexts (NCs) with their corresponding distinguished names (DNs) forming a child and parent relationship, the NC in the parent relationship is referred as the parent NC.

parent object: See section 1, Introduction, under Pervasive Concepts.

partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. A partial replica is not writable—it does not accept originating updates. See also writable NC replica.

Partitions container: A child object of the configuration naming context (config NC) root. The relative distinguished name (RDN) of the Partitions container is "cn=Partitions" and its class is crossRefContainer. See also crossRef object.

prefix table: A data structure that is used to translate between an object identifier (OID) and an ATTRTYP.

primary domain controller (PDC): A domain controller (DC) designated to track changes made to the accounts of all computers on a domain. It is the only computer to receive these changes directly, and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC.

primary group: The groupobject identified by the primaryGroupIDattribute of a user object. The primary group'sobjectSid equals the user's objectSid, with its relative identifier (RID) portion replaced by the primaryGroupID value. The user is considered a member of its primary group.

principal: A unique entity identifiable by a security identifier (SID) that is typically the requester of access to securable objects or resources. It often corresponds to a human user but can also be a computer or service. It is sometimes referred to as a security principal.

read permission: Authorization to read an attribute of an object.

read-only domain controller (RODC): A domain controller (DC) that does not accept originating updates. Additionally, an RODC does not perform outbound replication.

read-only full NC replica: An NC replica that contains all attributes of the objects it contains, and does not accept originating updates.

Recycle Bin: An optional feature that modifies the state model of object deletions and undeletions, making undeletion of deleted-objects possible without loss of the object'sattribute values.

recycled-object: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. Unlike a deleted-object, most of the state of the object has been removed, and the object may no longer be undeleted without loss of information. By keeping the recycled-object in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Recycled-objects exist only when the Recycle Binoptional feature is enabled.

relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the distinguished name (DN) of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston". For more information, see [RFC2251].

relative identifier (RID): The last item in the series of SubAuthority values in a security identifier (SID) (see [MS-DTYP] section 2.3). Differences in the RID are what distinguish the different SIDs generated within a domain.

replica: See section 1, Introduction, under Pervasive Concepts.

replicated attribute: An attribute whose values are replicated to other NC replicas. An attribute is replicated if its attributeSchemaobjecto does not have a value for the systemFlagsattribute, or if the FLAG_ATTR_NOT_REPLICATED bit (bit 0) of o!systemFlags is zero.

replication cycle: A series of one or more replication responses associated with the same invocationId, concluding with the return of a new up-to-date vector.

root domain: The unique domain naming context (domain NC) of an Active Directoryforest that is the parent of the forest'sconfiguration naming context (config NC). The config NC'srelative distinguished name (RDN) is "cn=Configuration" relative to the root object of the root domain.

root DSE (rootDSE): A nameless entry containing the configuration status of the Lightweight Directory Access Protocol (LDAP) server. Typically, access to at least a portion of the root DSE is available to unauthenticated clients, allowing them to determine the authentication methods supported by the server.

schema NC: A specific type of NC or an instance of that type. A forest has a single schema NC, which is replicated to each domain controller (DC) in the forest. Each attribute and class in the forest'sschema is represented as a corresponding object in the forest'sschema NC. A schema NC cannot contain security principal objects.

Secure Sockets Layer (SSL): A means of providing privacy and data protection between a client and a server. It may also be used to provide authentication between the two systems. For more information, see [SSL3].

secret attribute: Any of the following attributes: currentValue, dBCSPwd, initialAuthIncoming, initialAuthOutgoing, lmPwdHistory, ntPwdHistory, priorValue, supplementalCredentials, trustAuthIncoming, trustAuthOutgoing, and unicodePwd.

security context: A data structure containing authorization information for a particular security principal in the form of a collection of security identifiers (SIDs). One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.

security descriptor (SD): A data structure containing the security information associated with a securable object. A security descriptor (SD) identifies an object's owner by security identifier (SID). If access control is configured for the object, its SD contains a discretionary access control list (DACL) with SIDs for the security principals that are allowed or denied access. The SD format is specified in [MS-DTYP] section 2.4.6; a string representation of SDs, called Security Descriptor Definition Language (SDDL), is specified in [MS-DTYP] section 2.5.1.

security-enabled group: A group object with GROUP_TYPE_SECURITY_ENABLED present in its groupTypeattribute. Only security-enabled groups are added to a security context. See also group object.

security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret that is shared only by the principal. In Active Directory, a security principal object is identified by the objectSidattribute. In Active Directory, the domainDNS, user, computer, and groupobject classes are examples of security principal object classes (though not every groupobject is a security principal object). In AD LDS, any object containing the msDS-BindableObjectauxiliary class is a security principal. See also computer object, group object, and user object.

server object: A class of object in the configuration naming context (config NC). A server object can have an nTDSDSA object as a child. See also nTDSDSA object.

Simple Authentication and Security Layer (SASL): An authentication mechanism that is used by Lightweight Directory Access Protocol (LDAP) and is defined in [RFC2222].

simple bind: A bind with the simple authentication option enabled according to [RFC2251].

site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects) an administrator can optimize both Active Directory access and Active Directoryreplication with respect to the physical network. When users log in, Active Directory clients find domain controllers (DCs) that are in the same site as the user, or near the same site if there is no DC in the site. See also Knowledge Consistency Checker (KCC).

site object: An object of classsite, representing a site.

site settings object: For a given site with site objects, its site settings objecto is the child of s such that o is of class nTDSSiteSettings and the relative distinguished name (RDN) of o is CN=NTDS Site Settings. See also site object.

SRV record: A type of information record in DNS that maps the name of a service to the DNS name of a server that offers that service. domain controllers (DCs) advertise their capabilities by publishing SRV records in DNS.

stamp: Information describing an originating update by a domain controller (DC). The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the conventional data values.

SubAuthority: A security identifier (SID) can have a variable-length array of unsigned, 32-bit integer values. Each of these values is called a SubAuthority. All SubAuthority values excluding the last one collectively identify a domain. The last value, termed as the relative identifier (RID), identifies a particular group or account relative to the domain. For more information, see [SIDD].

syntax: See attribute syntax.

subordinate reference object (sub-ref object): The naming context (NC) root of a parent NC has a list of all the NC roots of its child NCs in the subRefsattribute. Each entry in this list is a subordinate reference and the object named by the entry is denominated a subordinate reference object. An object is a subordinate reference object if and only if it is in such a list. If a server has replicas of both an NC and its child NC, then the child NC root is the subordinate reference object, in the context of the parent NC. If the server does not have a replica of the child NC, then another object, with distinguishedName and objectGUIDattributes equal to the child NC root, is present in the server and is the subordinate reference object.

tombstone: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. By keeping the tombstone in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Tombstones exist only when the Recycle Binoptional feature is not enabled.

tombstone lifetime: The amount of time that a tombstone or recycled-object is kept in storage before it is permanently deleted.

top level name (TLN): The DNS name of the forest root domain NC.

transitive membership: An indirect group membership that occurs when an object is a member of a group that is a member of a second group. The object is a member of the second group through a transitive membership.

Transport Layer Security (TLS): The successor to Secure Sockets Layer (SSL). As with SSL, it provides privacy, data protection, and optionally authentication between a client and server. See [RFC2246].

trust: A relationship between two domains. If domain A trusts domain B, domain A accepts domain B's authentication and authorization statements for principals represented by security principal objects in domain B.

universal group: An Active Directorygroup that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object g is a universal group if and only if GROUP_TYPE_UNIVERSAL_GROUP is present in g!groupType. A security-enabled universal group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a universal group cannot be created in that domain. See also domain local group, security-enabled group.

update: An add, modify, or delete of one or more objects or attribute values. See also originating update, replicated update.

update sequence number (USN): A monotonically increasing sequence number used in assigning a stamp to an originating update. See also invocationId.

user object: An object of classuser. A user object is a security principal object; the principal is a person operating or service entity running on the computer. The shared secret allows the person or service entity to authenticate itself.

UTF-8: An 8-bit, variable-width encoding of Unicode characters.

UTF-16: A 16-bit, variable-width encoding form of Unicode characters.

Virtual List View (VLV) search: Refers to a Lightweight Directory Access Protocol (LDAP) search operation that enables the server to return a contiguous subset of a large search result set. LDAP controls LDAP_CONTROL_VLVREQUEST and LDAP_CONTROL_VLVRESPONSE (section 3.1.1.3.4.1.17) that are used to perform a VLV search.

well-known object (WKO): An object within an naming context (NC) that can be located using a fixed globally unique identifier (GUID).

Windows security descriptor: See security descriptor (SD).

writable NC replica: An NC replica that accepts originating updates. A writable NC replica is always full, but a full NC replica is not always writable. See also read-only full NC replica.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

 
Show:
© 2014 Microsoft