1.1.2 Ordinary Glossary Entries
The following terms are defined in [MS-GLOS]:
abstract object class
access control entry (ACE)
access control list (ACL)
back link value
Component Object Model (COM)
control access right
cyclic redundancy check (CRC)
discretionary access control list (DACL)
forward link value
FSMO role owner
full NC replica
global catalog (GC)
global catalog server (GC server)
globally unique identifier (GUID)
Lightweight Directory Access Protocol (LDAP)
Lost and Found container
Messaging Application Programming Interface (MAPI)
name service provider interface (NSPI)
object class inheritance
object of class x (or x object)
partial attribute set (PAS)
remote procedure call (RPC)
Simple Mail Transfer Protocol (SMTP)
structural object class
trusted domain object (TDO)
universally unique identifier (UUID)
Windows error code
The following terms are specific to this document:
Active Directory: Either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). Active Directory is either deployed as AD DS or as AD LDS. This document describes both forms. When the specification does not refer specifically to AD DS or AD LDS, it applies to both.
Active Directory Domain Services (AD DS): AD DS is an operating system directory service implemented by a DC. The directory service provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS first became available as part of Microsoft Windows 2000 and is available as part of Windows 2000 Server products and Windows Server 2003 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008. AD DS is not present in Windows NT 4.0 or in Windows XP. For more information, see [MS-SECO] section 2.5.2.
Active Directory Lightweight Directory Services (AD LDS): AD LDS is an operating system directory service implemented by a DC. The most significant difference between AD LDS and AD DS is that AD LDS does not host domain naming contexts (domain NCs). A server can host multiple AD LDS DCs. (In Microsoft documentation, AD LDS is sometimes called "ADAM".)
ambiguous name resolution (ANR): A search algorithm that permits an LDAP client to search multiple naming-relating attributes on objects via a single clause of the form "(aNR=value)" in an LDAP search filter. This permits a client to query for an object when the client possesses some identifying material related to the object but does not know which attribute of the object contains that identifying material.
ancestor object: An object A is an ancestor of object O if there is a directed path of child-parent arcs from O to A. In other words, A is on the path from O to the root of the tree containing O.
attribute: (Note: This definition is a specialization of the "attribute" entry in section 1.1.1, Pervasive Concepts.) An identifier for a single-valued or multi-valued data element that is associated with an LDAP directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (e-mail addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.
attribute syntax: A specification of the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object. The attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), String(Unicode), and Object(DS-DN).
auxiliary class: See auxiliary object class.
auxiliary object class: An object class that can be instantiated on, or removed from, an existing object.
back link attribute: A back link attribute is a constructed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The back link values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on object o for each object r that contains a value of o for attribute f. The relationship between the forward link attributes and back link attributes is expressed using the linkID attribute on the attributeSchema objects representing the two attributes. The forward link's linkID is an even number; the back link's linkID is the forward link's linkID plus one. For more information, see section 18.104.22.168.6.
Basic Encoding Rules (BER): A specific set of rules for encoding data structures for transfer over a network. These encoding rules are defined in [ITUX690].
built-in domain SID: The fixed SID S-1-5-32.
canonical name: A syntactic transformation of an Active Directory distinguished name (DN) into something resembling a pathname that still identifies an object within a forest. The DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/".
child object, children: See section 1.1.1, Pervasive Concepts.
computer object: An object of class computer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.
cycle: See replication cycle.
default domain naming context (default domain NC): When Active Directory is operating as AD DS, this is the DC's default NC. When operating as AD LDS, this NC is not defined.
default naming context (default NC): When Active Directory is operating as AD DS, this is the domain NC whose full replica is hosted by a DC. In this case, the default NC contains the DC's computer object. When Active Directory is operating as AD LDS, the default NC is the NC specified by the msDS-DefaultNamingContext attribute on the nTDSDSA object for the DC. See nTDSDSA object.
directory: A forest.
domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as AD DS, the DC contains full NC replicas of the config NC, schema NC, and one of the domain NCs in its forest. If the AD DS DC is a global catalog (GC) server, it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-SECO] section 2.5.2. When Active Directory is operating as AD LDS, several DCs can run on one server.
domain functional level: A specification of functionality available in a domain. Must be less than or equal to the DC functional level of every DC that hosts a replica of the domain's NC. Possible values in Windows Server 2008 are DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, and DS_BEHAVIOR_WIN2008. See section 22.214.171.124 for information on how the domain functional level is determined.
domain local group: An Active Directory group that allows user objects, global groups, and universal groups from any domain as members. It also allows other domain local groups from within its domain as members. A group object g is a domain local group if and only if GROUP_TYPE_RESOURCE_GROUP is present in g!groupType. A security-enabled domain local group is valid for inclusion within access control lists (ACLs) from its own domain. If a domain is in mixed mode, then a security-enabled domain local group in that domain allows only user objects as members.
dc=n1,dc=n2, ... dc=nk
n1. n2. ... .nk
DSA object: See nTDSDSA object.
DSA GUID: The objectGUID of a DSA object.
dsname: A tuple that contains between one and three identifiers for an object. The possible identifiers are the object's GUID (attribute objectGUID), SID (attribute objectSid), and DN (attribute distinguishedName). A dsname can appear in a protocol message and as an attribute value (for example, a value of an attribute with syntax Object(DS-DN)).
dynamic object: An object with a time-to-die, attribute msDS-Entry-Time-To-Die. The directory service garbage-collects a dynamic object immediately after its time-to-die has passed. The constructed attribute entryTTL gives a dynamic object's current time-to-live, that is, msDS-Entry-Time-To-Die minus the current system time. For more information, see [RFC2589].
entry: A synonym for object. See also the "object" entry in section 1.1.1, Pervasive Concepts.
filtered attribute set: The subset of attributes that are not replicated to the filtered partial NC replica and the filtered GC partial NC replica. The filtered attribute set is part of the state of the forest and is used to control the attributes that replicate to a read-only domain controller (RODC). The searchFlags schema attribute is used to define this set.
filtered partial NC replica: An NC replica that contains all the attributes of the objects, excluding those attributes in the filtered attribute set. A filtered partial NC replica is not writable.
flexible single master operation (FSMO): A read or update operation on an NC, such that the operation must be performed on the single designated "master" replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term, pronounced "fizmo", is never used alone; see also FSMO role, FSMO role owner.
foreign principal object (FPO): A foreignSecurityPrincipal object.
forest: For AD DS, a set of NCs consisting of one schema NC, one config NC, one or more domain NCs, and zero or more application NCs. Because a set of NCs can be arranged into a tree structure, a forest is also a set containing one or several trees of NCs. For AD LDS, a set of NCs consisting of one schema NC, one config NC, and zero or more application NCs. (In Microsoft documentation, an AD LDS forest is called a "configuration set".)
forest functional level: A specification of functionality available in a forest. It must be less than or equal to the DC functional level of every DC in the forest. Possible values in Windows Server 2008 are DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, and DS_BEHAVIOR_WIN2008. See section 126.96.36.199 for information on how the forest functional level is determined.
forward link attribute: A type of attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, a back link attribute, on other objects. A forward link attribute can exist with no corresponding back link attribute, but not vice versa.
FSMO role transfer: A request to a DC d. If d is the current owner of the specified FSMO role, the effect is to transfer that role to the client; if d is not the current owner of the role, the effect is to update the client's role objects from d's replica, so the client can try the request again on another DC.
GC partial attribute set (PAS): The subset of attributes that replicate to a GC partial NC replica. The partial attribute set is part of the state of the forest and is used to control the attributes that replicate to GC servers. The isMemberOfPartialAttributeSet schema attribute is used to define this set.
global group: An Active Directory group that allows user objects from its own domain and global groups from its own domain as members. Universal groups can contain global groups. A group object g is a global group if and only if GROUP_TYPE_ACCOUNT_GROUP is present in g!groupType. A security-enabled global group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a security-enabled global group in that domain allows only user objects as members. See also domain local group, security-enabled group.
group object: An object of class group representing a group. A group has a forward link attribute member; the values of this attribute represent either elements of the group (for example, objects of class user or computer) or subsets of the group (objects of class group). The back link attribute memberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not (and are, for instance, used to represent e-mail distribution lists).
interdomain trust accounts: Accounts that store information associated with domain trusts in the domain controllers of the domain that is trusted to perform authentication.
mailslot: A form of datagram communication using the Server Message Block (SMB) protocol, as specified in [MS-MAIL].
mailslot ping: A specific mailslot request that returns information about whether services are live on a DC.
naming context (NC): An NC is a dsname, containing at least a DN and a GUID, used in forming names for a tree of objects. The DN of the dsname is the distinguishedName attribute of the tree root. The GUID of the dsname is the objectGUID attribute of the tree root. The SID of the dsname, if present, is the objectSid attribute of the tree root; for AD DS, the SID is present if and only if the NC is a domain NC. Active Directory supports organizing several NCs into a tree structure.
NC replica: A variable containing a tree of objects whose root object is identified by some NC.
object: See section 1.1.1, Pervasive Concepts.
object class: See section 1.1.1, Pervasive Concepts.
object class name: The lDAPDisplayName of the classSchema object of an object class. This document consistently uses object class names to denote object classes; for example, user and group both name object classes. The correspondence between LDAP display names and numeric OIDs in the Active Directory schema is defined in the appendices of this document: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].
object ID: See object identifier (OID).
object identifier (OID): A sequence of numbers in a format defined by [RFC1778]. See attributeID and governsID.
objectClass: The objectClass attribute. The attribute on an object that holds the identity of each object class of the object.
objectGUID: The objectGUID attribute. The attribute on an object whose value is a GUID that uniquely identifies the object. The value of objectGUID is assigned when an object is created and is immutable thereafter. The integrity of both object references between NCs and of replication depends on the integrity of the objectGUID attribute.
objectSid: The objectSid attribute. The attribute on an object whose value is a SID that identifies the object as a security principal object. The value of objectSid is assigned when a security principal object is created and is immutable thereafter unless the object moves to another domain. The integrity of authentication depends on the integrity of the objectSid attribute.
parent object: See section 1.1.1, Pervasive Concepts.
prefix table: A data structure that is used to translate between an OID and an ATTRTYP.
primary domain controller (PDC): A DC designated to track changes made to the accounts of all computers on a domain. It is the only computer to receive these changes directly, and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC.
read permission: Authorization to read an attribute of an object.
read-only domain controller (RODC): A DC that does not accept originating updates. Additionally, an RODC does not perform outbound replication.
read-only full NC replica: An NC replica that contains all attributes of the objects it contains, and does not accept originating updates.
replica: See section 1.1.1, Pervasive Concepts.
replication cycle: A series of one or more replication responses associated with the same invocation ID, concluding with the return of a new up-to-date vector.
security context: A data structure containing authorization information for a particular security principal in the form of a collection of SIDs. One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.
security descriptor (SD): A data structure containing the security information associated with a securable object. An SD identifies an object's owner by SID. If access control is configured for the object, its SD contains a discretionary access control list (DACL) with SIDs for the security principals that are allowed or denied access. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called Security Descriptor Definition Language (SDDL), is specified in [MS-DTYP] section 2.5.1.
security identifier (SID): An account identifier (in Windows, this is used to identify an account). Conceptually, the SID is composed of an account authority portion (typically a domain) and a smaller integer representing an identity relative to the account authority, termed the RID. The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of SIDs is specified in [MS-DTYP] section 2.4.2 and [MS-SECO] section 2.3.
security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret that is shared only by the principal. In Active Directory, a security principal object is identified by the objectSid attribute. In Active Directory, the domainDNS, user, computer, and group object classes are examples of security principal object classes (though not every group object is a security principal object). In AD LDS, any object containing the msDS-BindableObject auxiliary class is a security principal. See also domainDNS, objectSid, computer object, group object, user object.
site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects) an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When users log in, Active Directory clients find DCs that are in the same site as the user, or near the same site if there is no DC in the site. See also Knowledge Consistency Checker (KCC).
site object: An object of class site, representing a site.
SRV record: A type of information record in DNS that maps the name of a service to the DNS name of a server that offers that service. DCs advertise their capabilities by publishing SRV records in DNS.
syntax: See attribute syntax.
tombstone lifetime: The amount of time that a tombstone remains in storage before being permanently deleted.
top level name (TLN): The DNS name of the forest root domain NC.
universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object g is a universal group if and only if GROUP_TYPE_UNIVERSAL_GROUP is present in g!groupType. A security-enabled universal group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a universal group cannot be created in that domain. See also domain local group, security-enabled group.
update: An add, modify, or delete of one or more objects or attribute values. See also originating update, replicated update.
UTF-8: An 8-bit, variable-width encoding of Unicode characters.
UTF-16: A 16-bit, variable-width encoding of Unicode characters.
Windows security descriptor: See security descriptor.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.