Export (0) Print
Expand All

1.1.2 Ordinary Glossary Entries

The following terms are defined in [MS-GLOS]:

abstract class

abstract object class

access check

access control entry (ACE)

access control list (ACL)

access mask

AttributeStamp

authentication

authorization

back link value

bridgehead DC

broadcast

checksum

Component Object Model (COM)

constructed attribute

container

control access right

cyclic redundancy check (CRC)

digest

discretionary access control list (DACL)

domain

downlevel trust

endpoint

expunge

forward link value

FSMO role owner

full NC replica

garbage collection

global catalog (GC)

global catalog server (GC server)

globally unique identifier (GUID)

group

GUIDString

inheritance

Lightweight Directory Access Protocol (LDAP)

LDAP connection

link attribute

link value

LinkValueStamp

local DC

Lost and Found container

Messaging Application Programming Interface (MAPI)

mixed mode

name service provider interface (NSPI)

native mode

non-replicated attribute

NULL GUID

object class inheritance

object of class x (or x object)

operational attribute

partial attribute set (PAS)

property set

remote procedure call (RPC)

replication

replication latency

replication traffic

RPC transport

schema

schema container

schema object

security principal

security provider

Simple Mail Transfer Protocol (SMTP)

SSL/TLS handshake

structural object class

tombstone

trust object

trust secret

trusted domain object (TDO)

Unicode

universally unique identifier (UUID)

uplevel trust

Windows error code

The following terms are specific to this document:

88 object class: An object class described in the X.500 directory specification ([X501] section 8.3.4). An 88 object class can be instantiated as a new object, like a structural object class, and on an existing object, like an auxiliary object class.

account domain: The security identifier (SID) namespace for which a given machine is authoritative. For a domain controller (DC), this is its default domain. For a Windows machine that is joined to a domain, this is the SID namespace defined by the local Security Accounts Manager.

account domain SID: A SID within the account domain.

active: A state of an attributeSchema or classSchema object that represents part of the schema. It is possible to instantiate an active attribute or an active class. The opposite term is "defunct".

Active Directory: Either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). Active Directory is either deployed as AD DS or as AD LDS. This document describes both forms. When the specification does not refer specifically to AD DS or AD LDS, it applies to both.

Active Directory Domain Services (AD DS): AD DS is an operating system directory service implemented by a DC. The directory service provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS first became available as part of Microsoft Windows 2000 and is available as part of Windows 2000 Server products and Windows Server 2003 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008. AD DS is not present in Windows NT 4.0 or in Windows XP. For more information, see [MS-SECO] section 2.5.2.

Active Directory Lightweight Directory Services (AD LDS): AD LDS is an operating system directory service implemented by a DC. The most significant difference between AD LDS and AD DS is that AD LDS does not host domain naming contexts (domain NCs). A server can host multiple AD LDS DCs. (In Microsoft documentation, AD LDS is sometimes called "ADAM".)

ambiguous name resolution (ANR): A search algorithm that permits an LDAP client to search multiple naming-relating attributes on objects via a single clause of the form "(aNR=value)" in an LDAP search filter. This permits a client to query for an object when the client possesses some identifying material related to the object but does not know which attribute of the object contains that identifying material.

ancestor object: An object A is an ancestor of object O if there is a directed path of child-parent arcs from O to A. In other words, A is on the path from O to the root of the tree containing O.

application NC: A specific type of naming context (NC). An application NC cannot contain security principal objects in AD DS but can contain security principals in AD LDS. An AD DS forest can have zero or more application NCs, while an AD LDS forest can have one or more.

attribute: (Note: This definition is a specialization of the "attribute" entry in section 1.1.1, Pervasive Concepts.) An identifier for a single-valued or multi-valued data element that is associated with an LDAP directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (e-mail addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.

attribute syntax: A specification of the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchema object. The attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), String(Unicode), and Object(DS-DN).

attributeID: The attributeID attribute. An object identifier (OID)–valued identifying attribute of each attributeSchema object in the schema NC.

ATTRTYP: A 32-bit quantity representing an OID. See [MS-DRSR] section 5:ATTRTYP.

auxiliary class: See auxiliary object class.

auxiliary object class: An object class that can be instantiated on, or removed from, an existing object.

back link attribute: A back link attribute is a constructed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The back link values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on object o for each object r that contains a value of o for attribute f. The relationship between the forward link attributes and back link attributes is expressed using the linkID attribute on the attributeSchema objects representing the two attributes. The forward link's linkID is an even number; the back link's linkID is the forward link's linkID plus one. For more information, see section 3.1.1.1.6.

Basic Encoding Rules (BER): A specific set of rules for encoding data structures for transfer over a network. These encoding rules are defined in [ITUX690].

built-in domain: The SID namespace defined by the fixed SID S-1-5-32. Contains groups that define roles on a local machine such as "Backup Operators".

built-in domain SID: The fixed SID S-1-5-32.

built-in principal: A security principal within the built-in domain.

canonical name: A syntactic transformation of an Active Directory distinguished name (DN) into something resembling a pathname that still identifies an object within a forest. The DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com" translates to the canonical name "microsoft.com/NTDEV/Peter Houston", while the DN "dc=microsoft, dc=com" translates to the canonical name "microsoft.com/".

child object, children: See section 1.1.1, Pervasive Concepts.

computer object: An object of class computer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.

configuration naming context (config NC): A specific type of NC or an instance of that type. A forest has a single config NC, which contains configuration information that is shared among all DCs in the forest.

critical object: A subset of the objects in the default NC, identified by the attribute isCriticalSystemObject having the value true. The objects that are marked in this way are essential for the operation of a DC that is hosting the NC.

crossRef object: An object of class crossRef. Each crossRef object is a child of the Partitions container in the config NC. The crossRef specifies the properties of an NC, such as its DNS name, operational settings, and so on.

cross-forest trust: A relationship between two forests that enables security principals from any domain in one forest to authenticate to computers joined to any domain in the other forest.

cycle: See replication cycle.

DC functional level: A specification of functionality available in a DC. Possible values are DS_BEHAVIOR_WIN2000 (for Windows 2000 Server DCs), DS_BEHAVIOR_WIN2003 (for Windows Server 2003 DCs), and DS_BEHAVIOR_WIN2008 (for Windows Server 2008 DCs).

DC in site x: A DC such that the site of the DC is x.

default domain naming context (default domain NC): When Active Directory is operating as AD DS, this is the DC's default NC. When operating as AD LDS, this NC is not defined.

default naming context (default NC): When Active Directory is operating as AD DS, this is the domain NC whose full replica is hosted by a DC. In this case, the default NC contains the DC's computer object. When Active Directory is operating as AD LDS, the default NC is the NC specified by the msDS-DefaultNamingContext attribute on the nTDSDSA object for the DC. See nTDSDSA object.

defunct: A state of an attributeSchema or classSchema object that represents part of the schema. It is not possible to instantiate a defunct attribute or a defunct class. The opposite term is "active".

directory: A forest.

directory object (or object): An LDAP object [RFC2251], which is a specialization of the "object" entry in section 1.1.1, Pervasive Concepts. An Active Directory object can be identified by a dsname according to the matching rules defined in [MS-DRSR] section 5:DSNAME.

distinguished name (DN): An LDAP distinguished name [RFC2251]. The DN of an object is the DN of its parent, preceded by the relative distinguished name (RDN) of the object. Example: "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com".

domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as AD DS, the DC contains full NC replicas of the config NC, schema NC, and one of the domain NCs in its forest. If the AD DS DC is a global catalog (GC) server, it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-SECO] section 2.5.2. When Active Directory is operating as AD LDS, several DCs can run on one server.

domain functional level: A specification of functionality available in a domain. Must be less than or equal to the DC functional level of every DC that hosts a replica of the domain's NC. Possible values in Windows Server 2008 are DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, and DS_BEHAVIOR_WIN2008. See section 7.1.4.3 for information on how the domain functional level is determined.

domain joined: A relationship between a machine and some domain NC in which they share a secret. The shared secret allows the machine to authenticate to a DC for the domain.

domain local group: An Active Directory group that allows user objects, global groups, and universal groups from any domain as members. It also allows other domain local groups from within its domain as members. A group object g is a domain local group if and only if GROUP_TYPE_RESOURCE_GROUP is present in g!groupType. A security-enabled domain local group is valid for inclusion within access control lists (ACLs) from its own domain. If a domain is in mixed mode, then a security-enabled domain local group in that domain allows only user objects as members.

domain naming context (domain NC): A specific type of NC, or an instance of that type. A domain NC can contain security principal objects; no other type of NC can. Domain NCs appear in the GC. A forest has one or more domain NCs. The root of a domain NC is an object of class domainDNS.

domain prefix: A domain SID, minus the relative identifier (RID) portion.

domainDNS: A specific object class. The root of a domain NC or an AD DS application NC is an object of class domainDNS. The DN of such an object takes the form:

dc=n1,dc=n2, ... dc=nk

where each ni satisfies the syntactic requirements of a DNS name component. For more information, see [RFC1034]. Such a DN corresponds to the DNS name:

n1. n2. ... .nk

This is the DNS name of the NC, and it allows replicas of the NC to be located using DNS.

DSA object: See nTDSDSA object.

DSA GUID: The objectGUID of a DSA object.

dsname: A tuple that contains between one and three identifiers for an object. The possible identifiers are the object's GUID (attribute objectGUID), SID (attribute objectSid), and DN (attribute distinguishedName). A dsname can appear in a protocol message and as an attribute value (for example, a value of an attribute with syntax Object(DS-DN)).

dynamic object: An object with a time-to-die, attribute msDS-Entry-Time-To-Die. The directory service garbage-collects a dynamic object immediately after its time-to-die has passed. The constructed attribute entryTTL gives a dynamic object's current time-to-live, that is, msDS-Entry-Time-To-Die minus the current system time. For more information, see [RFC2589].

entry: A synonym for object. See also the "object" entry in section 1.1.1, Pervasive Concepts.

Extended-Rights container: A container holding objects that correspond to control access rights. The container is a child of config NC and has RDN CN=Extended-Rights.

File Replication Service (FRS): One of the services offered by a DC. The running/paused state of the FRS on a DC is available through protocols documented in section 7.3.

filter: One of the parameters in an LDAP search request. The filter specifies matching constraints for the candidate objects.

filtered attribute set: The subset of attributes that are not replicated to the filtered partial NC replica and the filtered GC partial NC replica. The filtered attribute set is part of the state of the forest and is used to control the attributes that replicate to a read-only domain controller (RODC). The searchFlags schema attribute is used to define this set.

filtered GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects. The attributes consist of the attributes in the GC partial attribute set, excluding those present in the filtered attribute set. A filtered GC partial NC replica is not writable.

filtered partial NC replica: An NC replica that contains all the attributes of the objects, excluding those attributes in the filtered attribute set. A filtered partial NC replica is not writable.

flexible single master operation (FSMO): A read or update operation on an NC, such that the operation must be performed on the single designated "master" replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term, pronounced "fizmo", is never used alone; see also FSMO role, FSMO role owner.

foreign principal object (FPO): A foreignSecurityPrincipal object.

forest: For AD DS, a set of NCs consisting of one schema NC, one config NC, one or more domain NCs, and zero or more application NCs. Because a set of NCs can be arranged into a tree structure, a forest is also a set containing one or several trees of NCs. For AD LDS, a set of NCs consisting of one schema NC, one config NC, and zero or more application NCs. (In Microsoft documentation, an AD LDS forest is called a "configuration set".)

forest functional level: A specification of functionality available in a forest. It must be less than or equal to the DC functional level of every DC in the forest. Possible values in Windows Server 2008 are DS_BEHAVIOR_WIN2000, DS_BEHAVIOR_WIN2003_WITH_MIXED_DOMAINS, DS_BEHAVIOR_WIN2003, and DS_BEHAVIOR_WIN2008. See section 7.1.4.4 for information on how the forest functional level is determined.

forest root domain NC: The domain NC within a forest whose child is the forest's config NC. The DNS name of this domain serves as the forest name.

forward link attribute: A type of attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, a back link attribute, on other objects. A forward link attribute can exist with no corresponding back link attribute, but not vice versa.

FSMO role: A set of objects that can be updated in only one NC replica (the FSMO role owner's replica) at any given time.

FSMO role object: The object in the directory that represents a specific FSMO role. This object is an element of the FSMO role and contains the fSMORoleOwner attribute.

FSMO role transfer: A request to a DC d. If d is the current owner of the specified FSMO role, the effect is to transfer that role to the client; if d is not the current owner of the role, the effect is to update the client's role objects from d's replica, so the client can try the request again on another DC.

GC partial attribute set (PAS): The subset of attributes that replicate to a GC partial NC replica. The partial attribute set is part of the state of the forest and is used to control the attributes that replicate to GC servers. The isMemberOfPartialAttributeSet schema attribute is used to define this set.

GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of the attributes in the GC partial attribute set.

global group: An Active Directory group that allows user objects from its own domain and global groups from its own domain as members. Universal groups can contain global groups. A group object g is a global group if and only if GROUP_TYPE_ACCOUNT_GROUP is present in g!groupType. A security-enabled global group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a security-enabled global group in that domain allows only user objects as members. See also domain local group, security-enabled group.

governsID: The governsID attribute. An OID-valued identifying attribute of each classSchema object in the schema NC.

group object: An object of class group representing a group. A group has a forward link attribute member; the values of this attribute represent either elements of the group (for example, objects of class user or computer) or subsets of the group (objects of class group). The back link attribute memberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not (and are, for instance, used to represent e-mail distribution lists).

GUID-based DNS name: A DNS name published for a DC. If a DC's DSA GUID is "52f6c43b-99ec-4040-a2b0-e9ebf2ec02b8", and the forest root domain NC's DNS name is "fabrikam.com", then the GUID-based DNS name of the DC is "52f6c43b-99ec-4040-a2b0-e9ebf2ec02b8._msdcs.fabrikam.com". See also domainDNS.

inbound trust: A trust relationship between two domains, from the perspective of the domain that is trusted to perform authentication.

interdomain trust accounts: Accounts that store information associated with domain trusts in the domain controllers of the domain that is trusted to perform authentication.

intersite topology generator (ISTG): A DC within a given site that computes an NC replica graph for each NC replica on any DC in its site. This DC creates, updates, and deletes corresponding nTDSConnection objects for edges directed from NC replicas in other sites to NC replicas in its site.

invocationId: The invocationId attribute. An attribute of an nTDSDSA object. Its value is a unique identifier for a function that maps from update sequence numbers (USNs) to updates to a DC's NC replicas. See also nTDSDSA Object.

Knowledge Consistency Checker (KCC): An internal Windows component of the Active Directory replication used to create spanning trees for DC-to-DC replication and to translate those trees into settings of variables that implement the replication topology.

LDAP ping: A specific LDAP search that returns information about whether services are live on a DC.

lingering object: An object that still exists in an NC replica even though it has been deleted and garbage-collected from other replicas. This occurs, for instance, when a DC goes offline for longer than the tombstone lifetime.

mailslot: A form of datagram communication using the Server Message Block (SMB) protocol, as specified in [MS-MAIL].

mailslot ping: A specific mailslot request that returns information about whether services are live on a DC.

most specific object class: In a sequence of object classes related by inheritance, the class that none of the other classes inherits from. The special object class top is less specific than any other class.

naming context (NC): An NC is a dsname, containing at least a DN and a GUID, used in forming names for a tree of objects. The DN of the dsname is the distinguishedName attribute of the tree root. The GUID of the dsname is the objectGUID attribute of the tree root. The SID of the dsname, if present, is the objectSid attribute of the tree root; for AD DS, the SID is present if and only if the NC is a domain NC. Active Directory supports organizing several NCs into a tree structure.

NC replica: A variable containing a tree of objects whose root object is identified by some NC.

NC replica graph: A directed graph containing NC replicas as nodes and repsFrom tuples as inbound edges by which originating updates replicate from each full replica of a given NC to all other NC replicas of the NC, directly or transitively.

NetBIOS: A protocol family including name resolution, datagram, and connection services. For more information, see [RFC1001] and [RFC1002].

NetBIOS Name Service (NBNS): The name service for NetBIOS. For more information, see [RFC1001] and [RFC1002].

Netlogon: A component of Windows that authenticates a computer and provides other services. The running/paused state of Netlogon on a DC is available through protocols documented in section 7.3.

nTDSDSA object: An object of class nTDSDSA, representing a DC in the config NC.

object: See section 1.1.1, Pervasive Concepts.

object class: See section 1.1.1, Pervasive Concepts.

object class name: The lDAPDisplayName of the classSchema object of an object class. This document consistently uses object class names to denote object classes; for example, user and group both name object classes. The correspondence between LDAP display names and numeric OIDs in the Active Directory schema is defined in the appendices of this document: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].

object ID: See object identifier (OID).

object identifier (OID): A sequence of numbers in a format defined by [RFC1778]. See attributeID and governsID.

object reference: An attribute value that references an object; reading a reference gives the DN or full dsname of the object.

objectClass: The objectClass attribute. The attribute on an object that holds the identity of each object class of the object.

objectGUID: The objectGUID attribute. The attribute on an object whose value is a GUID that uniquely identifies the object. The value of objectGUID is assigned when an object is created and is immutable thereafter. The integrity of both object references between NCs and of replication depends on the integrity of the objectGUID attribute.

objectSid: The objectSid attribute. The attribute on an object whose value is a SID that identifies the object as a security principal object. The value of objectSid is assigned when a security principal object is created and is immutable thereafter unless the object moves to another domain. The integrity of authentication depends on the integrity of the objectSid attribute.

oriented tree: A directed acyclic graph such that for every vertex v except one (the root), there is a unique arc whose initial vertex is v. There is no arc whose initial vertex is the root. For more information, see [KNUTH1] section 2.3.4.2.

originating update: An update performed to an NC replica directly by a client, as opposed to an update applied by replication from another NC replica. An originating update to an attribute or link value generates a new stamp for the attribute or link value.

outbound trust: A trust relationship between two domains, from the perspective of the domain that trusts another domain to perform authentication.

parent object: See section 1.1.1, Pervasive Concepts.

partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. A partial replica is not writable—it does not accept originating updates. See also Writable NC Replica.

Partitions container: A child object of the config NC root. The RDN of the Partitions container is "cn=Partitions" and its class is crossRefContainer. See also crossRef Object.

prefix table: A data structure that is used to translate between an OID and an ATTRTYP.

primary domain controller (PDC): A DC designated to track changes made to the accounts of all computers on a domain. It is the only computer to receive these changes directly, and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC.

primary group: The group object identified by the primaryGroupID attribute of a user object. The primary group's objectSid equals the user's objectSid, with its RID portion replaced by the primaryGroupID value. The user is considered a member of its primary group.

principal: A unique entity identifiable by a SID that is typically the requester of access to securable objects or resources. It often corresponds to a human user but can also be a computer or service. It is sometimes referred to as a security principal.

privilege: The right of a user to perform system-related operations, such as debugging the system. A user's security context specifies what privileges are held by that user.

RDN attribute: The attribute used in an RDN. In the RDN "cn=Peter Houston" the RDN attribute is cn. In Active Directory, the RDN attribute of an object is determined by the 88 object class or the most specific structural object class of the object. See also Most Specific Object Class.

read permission: Authorization to read an attribute of an object.

read-only domain controller (RODC): A DC that does not accept originating updates. Additionally, an RODC does not perform outbound replication.

read-only full NC replica: An NC replica that contains all attributes of the objects it contains, and does not accept originating updates.

relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the DN of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston". For more information, see [RFC2251].

relative identifier (RID): The last item in the series of subauthority values in a SID (see [MS-DTYP] section 2.3). Differences in the RID are what distinguish the different SIDs generated within a domain.

replica: See section 1.1.1, Pervasive Concepts.

replicated attribute: An attribute whose values are replicated to other NC replicas. An attribute is replicated if its attributeSchema object o does not have a value for the systemFlags attribute, or if the FLAG_ATTR_NOT_REPLICATED bit (bit 0) of o!systemFlags is zero.

replicated update: An update performed to an NC replica by the replication system in order to propagate the effect of an originating write at another NC replica. The stamp assigned during the originating write to an attribute or a link value is preserved by replication.

replication cycle: A series of one or more replication responses associated with the same invocation ID, concluding with the return of a new up-to-date vector.

root domain: The unique domain NC of an Active Directory forest that is the parent of the forest's config NC. The config NC's RDN is "cn=Configuration" relative to the root object of the root domain.

root DSE (rootDSE): A nameless entry containing the configuration status of the LDAP server. Typically, access to at least a portion of the root DSE is available to unauthenticated clients, allowing them to determine the authentication methods supported by the server.

schema NC: A specific type of NC or an instance of that type. A forest has a single schema NC, which is replicated to each DC in the forest. Each attribute and class in the forest's schema is represented as a corresponding object in the forest's schema NC.

Secure Sockets Layer (SSL): A means of providing privacy and data protection between a client and a server. It may also be used to provide authentication between the two systems. For more information, see [SSL3].

security context: A data structure containing authorization information for a particular security principal in the form of a collection of SIDs. One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.

security descriptor (SD): A data structure containing the security information associated with a securable object. An SD identifies an object's owner by SID. If access control is configured for the object, its SD contains a discretionary access control list (DACL) with SIDs for the security principals that are allowed or denied access. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called Security Descriptor Definition Language (SDDL), is specified in [MS-DTYP] section 2.5.1.

security-enabled group: A group object with GROUP_TYPE_SECURITY_ENABLED present in its groupType attribute. Only security-enabled groups are added to a security context. See also group object.

security identifier (SID): An account identifier (in Windows, this is used to identify an account). Conceptually, the SID is composed of an account authority portion (typically a domain) and a smaller integer representing an identity relative to the account authority, termed the RID. The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of SIDs is specified in [MS-DTYP] section 2.4.2 and [MS-SECO] section 2.3.

security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret that is shared only by the principal. In Active Directory, a security principal object is identified by the objectSid attribute. In Active Directory, the domainDNS, user, computer, and group object classes are examples of security principal object classes (though not every group object is a security principal object). In AD LDS, any object containing the msDS-BindableObject auxiliary class is a security principal. See also domainDNS, objectSid, computer object, group object, user object.

server object: A class of object in the config NC. A server object can have an nTDSDSA object as a child. See also nTDSDSA object.

service principal name (SPN): A name a client uses to identify a service for mutual authentication. For more information, see [RFC1964] section 2.1.1.

Simple Authentication and Security Layer (SASL): An authentication mechanism that is used by LDAP and is defined in [RFC2222].

site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects) an administrator can optimize both Active Directory access and Active Directory replication with respect to the physical network. When users log in, Active Directory clients find DCs that are in the same site as the user, or near the same site if there is no DC in the site. See also Knowledge Consistency Checker (KCC).

site object: An object of class site, representing a site.

site of DC: The site object that is an ancestor of the DC's nTDSDSA object. See also nTDSDSA object.

site settings object: For a given site with site object s, its site settings object o is the child of s such that o is of class nTDSSiteSettings and the RDN of o is CN=NTDS Site Settings. See also site object.

SRV record: A type of information record in DNS that maps the name of a service to the DNS name of a server that offers that service. DCs advertise their capabilities by publishing SRV records in DNS.

stamp: Information describing an originating update by a DC. The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the conventional data values.

syntax: See attribute syntax.

tombstone lifetime: The amount of time that a tombstone remains in storage before being permanently deleted.

top level name (TLN): The DNS name of the forest root domain NC.

Transport Layer Security (TLS): The successor to Secure Sockets Layer (SSL). As with SSL, it provides privacy, data protection, and optionally authentication between a client and server. See [RFC2246].

trust: A relationship between two domains. If domain A trusts domain B, domain A accepts domain B's authentication and authorization statements for principals represented by security principal objects in domain B.

universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group object g is a universal group if and only if GROUP_TYPE_UNIVERSAL_GROUP is present in g!groupType. A security-enabled universal group is valid for inclusion within ACLs anywhere in the forest. If a domain is in mixed mode, then a universal group cannot be created in that domain. See also domain local group, security-enabled group.

update: An add, modify, or delete of one or more objects or attribute values. See also originating update, replicated update.

update sequence number (USN): A monotonically increasing sequence number used in assigning a stamp to an originating update. See also invocation ID.

userAccountControl: The userAccountControl attribute. An attribute of a security principal object, containing a set of security options. For instance, this attribute designates the role of a computer in a domain.

user object: An object of class user. A user object is a security principal object; the principal is a person or service entity running on the computer. The shared secret allows the person or service entity to authenticate itself.

UTF-8: An 8-bit, variable-width encoding of Unicode characters.

UTF-16: A 16-bit, variable-width encoding of Unicode characters.

well-known object: An object within an NC that can be located using a fixed GUID.

Windows security descriptor: See security descriptor.

writable NC replica: An NC replica that accepts originating updates. A writable NC replica is always full, but a full NC replica is not always writable. See also read-only full NC replica.

MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.

Show:
© 2014 Microsoft