The following terms are defined in [MS-GLOS]:
back link value
binary large object (BLOB)
control access right
discretionary access control list (DACL)
domain controller (DC)
domain name (3)
forward link attribute
forward link value
FSMO role owner
full NC replica
fully qualified domain name (FQDN) (1) (2)
global catalog (GC)
global catalog server (GC server)
Interface Definition Language (IDL)
Internet host name
Lightweight Directory Access Protocol (LDAP)
local domain controller (DC)
Microsoft Interface Definition Language (MIDL)
Network Data Representation (NDR)
partial attribute set (PAS)
primary domain controller (PDC) role owner
remote procedure call (RPC)
The following terms are defined in [MS-ADTS]:
NetBIOS domain name
The following terms are specific to this document:
abstract type: A type used in this specification whose representation need not be standardized for interoperability because the type's use is internal to the specification. See concrete type.
access control entry (ACE): An entry in an access control list (ACL). An ACE contains a set of access rights and a security identifier (SID) that identifies the principal (including group principals) for whom the rights are allowed, denied, or audited.
access control list (ACL): A sequence of access control entries (ACEs) that describes the rules for authorizing access to some resource; for example, an object or set of objects.
Active Directory: Either Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
Active Directory Domain Services (AD DS): AD DS is an operating system directory service implemented by a domain controller (DC). The directory service provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. AD DS first became available as part of Windows 2000 and is available as part of Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2 products; in these products it is called "Active Directory". It is also available as part of Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012. AD DS is not present in Windows NT 3.1, Windows NT 3.51, Windows NT 4.0, or Windows XP. For more information, see [MS-WSO] section 18.104.22.168.5.2 and [MS-ADTS].
Active Directory Lightweight Directory Services (AD LDS): AD LDS is an operating system directory service implemented by a domain controller (DC). The most significant difference between AD LDS and AD DS is that AD LDS does not host domain NCs. A server can host multiple AD LDS DCs. (In Microsoft documentation, AD LDS is sometimes called "ADAM".)
application NC: A specific type of naming context (NC). An application NC does not contain security principal objects and does not appear in the GC. The root of an application NC is an object of classdomainDNS. See domainDNS.
attribute: (Note: This definition is a specialization of the "attribute" concept that is described in the Introduction (section 1).) An identifier for a single- or multivalued data element associated with an LDAPdirectory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (email addresses) can all be attributes of a user object. An attribute'sschema, including the syntax of its values, is defined in an attributeSchemaobject.
attribute syntax: A specification of the format and range of permissible values of an attribute. The syntax of an attribute is defined by several attributes on the attributeSchemaobject. Attribute syntaxes supported by Active Directory include Boolean, Enumeration, Integer, LargeInteger, String(UTC-Time), String(Unicode), and Object(DS-DN).
back link attribute: A computed attribute whose values include object references (for example, an attribute of syntax Object(DS-DN)). The values are derived from the values of a related attribute, a forward link attribute, on other objects. If f is the forward link attribute, one back link value exists on objecto for each objectr that contains a value of o for attributef. The relationship between forward link attributes and back link attributes is expressed using the linkIDattribute on the attributeSchemaobjects representing the two attributes. The forward link's linkID is an even number, and the back link's linkID is the forward link's linkID plus one. For more information, see [MS-ADTS] section 22.214.171.124.6.
binary OID: An object identifier (OID) in a Basic Encoding Rules (BER)–encoded binary format, as specified in [ITUX690] section 8.19.
built-in domain: The SID namespace that is defined by the fixed SID S-1-5-32. The built-in domain contains groups that define roles on a local computer, such as "Backup Operators".
built-in principal: A security principal within the built-in domain whose SID is identical in every domain.
checksum: A value that is the summation of a byte stream. By comparing the checksums computed from a data item at two different times, it can be quickly assessed whether the data items are different.
class: See object class.
compression chunk (or chunk): When compression is used for replication data, the data is divided into smaller units, called "compression chunks", that are suitable for the particular algorithm. The chunk size is specific to the compression algorithm being employed.
computer object: An object of classcomputer. A computer object is a security principal object; the principal is the operating system running on the computer. The shared secret allows the operating system running on the computer to authenticate itself independently of any user running on the system. See security principal.
concrete type: A type used in this specification whose representation must be standardized for interoperability. Specific cases include types in the IDL definition of an RPC interface, types sent over RPC but whose representation is unknown to RPC, and types stored as byte strings in directoryattributes.
critical object: A subset of the objects in the default NC, identified by the attributeisCriticalSystemObject having the value TRUE. The objects that are marked in this way are essential for the operation of a DC hosting the NC.
crossRef object: An object of classcrossRef. Each crossRefobject is a child of the partitions container in the config NC. A crossRef describes the properties of an NC, such as its fully qualified domain name (FQDN), operational settings, and so on.
cycle: A series of one or more replication responses associated with the same invocation ID, concluding with the return of a new up-to-date vector.
cyclic redundancy check (CRC): A broad class of functions used for detecting errors in the transmission of data; for example, CRC is one method of generating a checksum.
default naming context replica (default NC replica): Part of the state of a DC. A DC'sdefault NC replica is a domain NC. On a read-only DC, the default NC replica is a filtered partial NC replica; otherwise, it is a full NC replica, hosted by the DC.
deleted-object: An object that has been deleted, but that remains in storage until a configured amount of time (the deleted-object lifetime) has passed, after which the object is transformed into a recycled-object. Unlike a recycled-object or a tombstone, a deleted-object maintains virtually all the state of the object before deletion and may be undeleted without loss of information. Deleted-objects exist only when the Recycle Binoptional feature is enabled.
deleted-object lifetime: The time period that a deleted-object is kept in storage before it is transformed into a recycled-object.
directory object (or object): An Active Directoryobject, which is a specialization of the "object" concept that is described in the Introduction (section 1). The identifying attribute is objectGUID, and the parent-identifying attribute (not exposed as an LDAPattribute) is parent. Active Directoryobjects are similar to LDAPentries, as defined in [RFC2251]; the differences are specified in [MS-ADTS] section 126.96.36.199.1.
distinguished name (DN): A human-readable name for an object; every object has a DN. Active DirectoryDNs are LDAPDNs[RFC2251], restricted as specified in [MS-ADTS] section 188.8.131.52.1.2.1. The DN of an object is the object'sRDN followed by "," followed by the DN of its parent; for example: "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com". See canonical name.
domain: A unit of security administration and delegation in a Microsoft Windows network. For more information, see [MS-WSO] section 184.108.40.206.5, and [MS-ADTS].
domain naming context (domain NC): A type of NC that represents a domain. A domain NC can contain security principal objects; no other type of NC can contain security principal objects. Domain NCs appear in the GC. A forest has one or more domain NCs. The root of a domain NC is an object of classdomainDNS. See domainDNS.
domain security identifier (domain SID): The SID of the root object of a domain NC. The relative identifier (RID) portion of the domain SID is always zero. Every security principal object in a domain NC has an objectSidattribute equal to the domain SID except for the RID portion.
domainDNS: A specific object class. The root of a domain NC or an application NC is an object of classdomainDNS. The DN of such an object takes the form
dc=n1,dc=n2, ... dc=nk
n1.n2. ... .nk
This is the FQDN of the NC, and it allows replicas of the NC to be located by using DNS.
directory service agent (DSA): A term from the X.500 directory specification [X501] that represents a component that maintains and communicates directory information.
DSA GUID: The objectGUID of a DSA object.
DSName: A DSName is a tuple that contains between one and three identifiers for an object. The possible identifiers are the object'sGUID (attributeobjectGUID), SID (attributeobjectSid), and DN (attributedistinguishedName). A DSName can appear in a protocol message and as an attribute value; for example, a value of an attribute with syntax Object(DS-DN). Given a DSName, an object can be identified within a set of NC replicas according to the matching rules defined in section 5.49.
dynamic object: An object with a "time-to-die" attribute, msDS-Entry-Time-To-Die. Active Directory "garbage-collects" a dynamic object immediately after the time-to-die of the object has passed. The constructed attributeentryTTL gives a dynamic object's current "time-to-live"; that is, the difference between the current time and msDS-Entry-Time-To-Die. See [RFC2589].
encryption key: One of the input parameters to an encryption algorithm. An encryption algorithm takes as input a clear-text message and a key, and results in a cipher-text message. The corresponding decryption algorithm takes a cipher-text message, and the key, and results in the original clear-text message.
endpoint: A network-specific address of a server process for remote procedure calls. The actual name of the endpoint depends on the RPC protocol sequence being used. For example, for the NCACN_IP_TCP RPC protocol sequence, an endpoint might be TCP port 1025. For more information, see [C706].
entry: A term often used as a synonym for object, but not in this document.
extended canonical name: Same as a canonical name, except that the rightmost forward slash ('/') is replaced with a newline character.
extended operation: A special replication cycle in which a client DC requests an action on a FSMO role; for example, a change in the FSMO role owner. FSMO role abandon and FSMO role transfer are examples of extended operations.
filtered attribute set (FAS): The subset of attributes that are not replicated to filtered partial NC replicas and filtered GC partial NC replicas. A particular filtered attribute set is part of the state of the forest, and is used to control the attributes that replicate to a read-only DC. The searchFlags schema attribute is used to define this set.
filtered GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of the attributes in the GC partial attribute set, excluding those present in the filtered attribute set. A filtered GC partial NC replica is not writable; that is, it does not accept originating updates.
filtered partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of all the attributes of the objects, excluding those attributes in the filtered attribute set. A filtered partial NC replica is not writable; that is, it does not accept originating updates.
flexible single master operation: See FSMO.
forward link attribute: A specific type of attribute. The values of a forward link attribute include object references (for example, syntax Object(DS-DN)). The forward link values can be used to compute the values of a related attribute, that is a back link attribute, on other objects. A forward link attribute can exist with no corresponding back link attribute, but not vice versa. See [MS-ADTS] section 220.127.116.11.6.
FSMO (flexible single master operation): A read or update operation on an NC, such that the operation must be performed on the single designated "master" replica of that NC. The master replica designation is "flexible" because it can be changed without losing the consistency gained from having a single master. This term (pronounced "fizmo") is never used alone; see FSMO role, FSMO role owner.
FSMO role abandon: A request to a DCD. The effect is for D to request the current owner of a specified FSMO role to transfer the role to D (see FSMO role transfer). Abandon can be initiated by the current role owner in anticipation of being unable to host the role; for example, because the DC is being decommissioned.
FSMO role transfer: A request to a DCD. If D is the current owner of the specified FSMO role, the effect is to transfer that role to the client; if D is not the current owner of the role, the effect is to update the client's role objects from D's replica, so that the client can try the request again on another DC.
GC partial attribute set (PAS): The subset of attributes that replicate to GC partial NC replicas. A particular GC partial attribute set is part of the state of the forest, and is used to control the attributes that replicate to GC servers. The isMemberOfPartialAttributeSet schema attribute is used to define this set.
GC partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects it contains. The subset of attributes consists of the attributes in the GC partial attribute set. A GC partial NC replica is not writable; for example, it does not accept originating updates.
global group: An Active Directorygroup that allows user objects from its own domain and global groups from its own domain as members. Universal groups can contain global groups. A group objectG is a global group if GROUP_TYPE_ACCOUNT_GROUP is present in G's groupTypeattribute. A global group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupTypeattribute; in this case the group is valid for inclusion within access control lists (ACLs) anywhere in the forest.
globally unique identifier (GUID): A 128-bit value used in cross-process communication to identify entities such as client and server interfaces and RPC objects. For more information, see [C706]. A string representation of GUIDs, commonly called the "dashed-string" representation, is specified in [RFC4122] section 3.
group: See group object.
group object: An object of classgroup, representing a set of objects. A group has a forward link attributemember; the values of this attribute either represent elements of the group (for example, objects of classuser or computer) or represent subsets of the group (objects of classgroup). Representation of group subsets is called "nested group membership". The back link attributememberOf enables navigation from group members to the groups containing them. Some groups represent groups of security principals and some do not (and are, for example, used to represent email distribution lists).
group principal: A group representing a collection of security principals. A group principal can be used in an ACE to collectively grant or deny permissions to all the security principals in that group.
invocation ID: A unique identifier for a function that maps from update sequence numbers (USNs) to updates to the NC replicas of a DC.
Knowledge Consistency Checker (KCC): An internal Windows component of Active Directoryreplication used to create spanning trees for DC-to-DC replication and to translate those trees into settings of variables that implement the replication topology.
lingering object: An object that still exists in an NC replica even though it has been deleted and "garbage-collected" from other replicas. Lingering objects can occur, for example, when a DC goes offline for longer than the tombstone lifetime.
Lost and Found container: A container holding objects in a given NC that do not have parent objects due to add and delete operations that originated on different DCs. The container is a child of the NC root and has RDN cn=LostAndFound in domain NCs and cn=LostAndFoundConfig in config NCs.
MD5 hash: A hashing algorithm developed by RSA Data Security, Inc., and defined in [RFC1321].
mixed mode: A state of an Active Directorydomain that supports DCs running Windows NT Server 4.0. Mixed mode does not allow organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See native mode.
naming context (NC): An NC is a DSName, containing at least a DN and a GUID, used in forming names for a tree of objects. The DN of the DSName is the distinguishedNameattribute of the tree root. The GUID of the DSName is the objectGUIDattribute of the tree root. The SID of the DSName, if present, is the objectSidattribute of the tree root; the SID is present if and only if the NC is a domain NC. Active Directory allows NCs to be organized into a tree structure.
native mode: A state of an Active Directorydomain in which all current and future DCs run Windows 2000 Server or higher; no DCs run Windows NT Server 4.0. Native mode allows organizations to take advantage of new Active Directory features such as universal groups, nested group membership, and interdomain group membership. See mixed mode.
NC replica: A variable containing a tree of objects whose root object is identified by some NC.
nTDSDSA object: An object of classnTDSDSA. See DSA object.
object class name: The lDAPDisplayName of the classSchemaobject of a class. This document consistently uses object class names to denote classes; for example, user and group are both object class names. The correspondence between LDAP display names and numeric OIDs in the Active Directoryschema is specified in the following appendices of [MS-ADTS]: [MS-ADSC], [MS-ADA1], [MS-ADA2], and [MS-ADA3].
object identifier (OID): A sequence of numbers in a format defined in [RFC1778]. See attributeID, governsID.
object of class x (or x object): An objectO such that one of the values of its objectClassattributes is x. For example, if O's objectClass contains the value user, O is an object of classuser. This is often contracted to "user object".
object reference: An attribute value that identifies an object; reading an object reference gives the DN or full DSName of the object.
objectClass: The objectClassattribute. The attribute on an object that holds the object class name of each object class of the object.
objectGUID: The objectGUIDattribute. The identifying attribute on an object, in the sense of the "object" concept that is described in the Introduction (section 1). The value of an object'sobjectGUID is a GUID assigned when the object was created and is immutable thereafter. The integrity of object references between NCs and of replication depends on the integrity of the objectGUIDattribute.
objectSid: The objectSidattribute. The attribute on an object whose value is a SID that identifies the object as a security principal object. The value of an object'sobjectSid is assigned when the security principal object was created and is immutable thereafter unless the object moves to another domain. The integrity of authentication depends on the integrity of the objectSidattribute.
optional feature: A non-default behavior that modifies the Active Directory state model. For more information, refer to [MS-ADTS] section 18.104.22.168.
oriented tree: A directed acyclic graph such that for every vertex v, except one (the root), there is a unique arc whose initial vertex is v. There is no arc whose initial vertex is the root. For more information, see [KNUTH1] section 22.214.171.124.
partial NC replica: An NC replica that contains a schema-specified subset of attributes for the objects that it contains. A partial NC replica is not writable—it does not accept originating updates. See writable NC replica.
Partitions container: A child object of the config NC root. The RDN of the Partitions container is "cn=Partitions" and its class is crossRefContainer. See crossRef Object.
PDC emulator: A DC that is designated to track changes made to the accounts of all computers in a domain. The PDC emulator is the only computer to receive these changes directly and is specialized so as to ensure consistency and to eliminate the potential for conflicting entries in the Active Directory database. A domain has only one PDC emulator.
primary domain controller (PDC): See PDC emulator.
principal: See security principal.
read permission: Authorization to read an attribute of an object. For more information, see [MS-ADTS] section 5.1.3.
Recycle Bin: An optional feature that modifies the state model of object deletions and undeletions, making undeletion of deleted-objects possible without loss of the object's attribute values. For more information, refer to [MS-ADTS] section 126.96.36.199.1.
recycled-object: An object that has been deleted, but that remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. Unlike a deleted-object, most of the state of the object has been removed, and the object may no longer be undeleted without loss of information. By keeping the recycled-object in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Recycled-objects exist only when the Recycle Binoptional feature is enabled.
relative distinguished name (RDN): The name of an object relative to its parent. This is the leftmost attribute-value pair in the DN of an object. For example, in the DN "cn=Peter Houston, ou=NTDEV, dc=microsoft, dc=com", the RDN is "cn=Peter Houston".
relative identifier (RID): The last item in the series of subauthority values in a SID (see [MS-DTYP] section 2.4.2). Differences in the RID are what distinguish the different SIDs generated within a domain.
replicated attribute: An attribute whose values are replicated. See replication.
replicated update: An update performed to an NC replica by the replication system to propagate the effect of an originating update at another NC replica. The stamp assigned during the originating update to an attribute or a link value is preserved by replication.
replication: The process of propagating the effects of all originating writes, to any replica of an NC, to all replicas of the NC. If originating writes cease and replication continues, all replicas converge to a common application-visible state.
replication cycle: See cycle.
replication epoch: A state variable of a DC that changes when a DC is no longer compatible for replication with its former partners. A server receiving a replication request tests the client's replication epoch against its own, and refuses the request if the two are not equal.
RID allocation pool: The set of RIDs that a domain NC replica can assign to new objects having the objectSid attribute without obtaining more RIDs from the domain NC's RID available pool. See relative identifier (RID), objectSid.
RID available pool: The set of RIDs for a domain NC that have not been assigned to the RID allocation pool of any replica of the NC. The RID available pool is represented by the values of attributes within the domain NC's RID Master FSMO role.
root domain: See forest root domain NC.
RPC protocol sequence: A character string that represents a valid combination of an RPC protocol, a network layer protocol, and a transport layer protocol. For example, the protocol sequence NCACN_IP_TCP describes a Network Computing Architecture (NCA) connection over the Internet Protocol (IP) with a Transmission Control Protocol (TCP) as transport. For more information, see [C706] and [MS-RPCE] section 2.1.
RPC session key: See session key.
salt: An additional random quantity, specified as input to an encryption function, that is used to increase the strength of the encryption.
schema naming context (schema NC): A specific type of NC that contains schemaobjects representing the schema. A forest has a single schema NC, which is replicated to each DC in the forest. Each attribute and class in the forest'sschema is represented as a corresponding object in the forest'sschema NC.
security context: A data structure containing authorization information for a particular security principal in the form of a collection of SIDs. One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.
security descriptor: A data structure containing the security information associated with a securable entity, such as an object. A security descriptor identifies an object's owner by SID. If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.
security identifier (SID): An identifier for a security principal object. The SID is composed of an account authority portion and an integer representing an identity relative to the account authority, termed the RID. The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of a SID is specified in [MS-WSO] section 188.8.131.52.3. See relative identifier (RID).
security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret shared only by the principal. In Active Directory, a security principal object is identified by the objectSidattribute. In Active Directory, the domainDNS, user, computer, and group classes are examples of security principal objectclasses (though not every group object is a security principal object). See domainDNS, objectSid, computer object, group object, user object.
server object: A class of object in the config NC. A server object can have a DSA object as a child.
service account object: The security principal object that corresponds to the principal running a service. For a typical service (including some configurations of an AD LDS DC), this is a user object; for a service running as Local System or Network Service (including all AD DS DCs and the default configuration of an AD LDS DC), this is the computer object of the computer.
service class: The first part of a service principal name. See [MS-KILE] section 184.108.40.206.
service principal name (SPN): The name a client uses to identify a service for mutual authentication. (For more information, see [RFC1964] section 2.1.1.) An SPN consists of either two parts or three parts, each separated by a forward slash ('/'). The first part is the service class, the second part is the instance name, and the third part (if present) is the service name. For example, "ldap/dc-01.fabrikam.com/fabrikam.com" is a three-part SPN where "ldap" is the service class name, "dc-01.fabrikam.com" is the instance name, and "fabrikam.com" is the service name.
session key: A cryptographic key negotiated by the client and the server side based on a shared secret.
SHA1 hash: A hashing algorithm defined in [FIPS180] that was developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).
site: A collection of one or more well-connected (reliable and fast) TCP/IP subnets. By defining sites (represented by site objects), an administrator can optimize both Active Directory access and Active Directoryreplication with respect to the physical network. When a user logs in, an Active Directory client finds a DC that is in the same site as the client, or near the same site if there is no DC in the site. See Knowledge Consistency Checker (KCC), site object.
site object: An object of classsite, representing a site.
stamp: Information describing an originating update by a DC. The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the actual data values.
STATUS code: A 32-bit quantity where zero represents success and nonzero represents failure. The specific failure codes used in this specification are Windows error codes.
target object: An object referenced by a forward link value.
subordinate reference object (sub-ref object): The NC root of a parentNC has a list of all the NC roots of its childNCs in the subRefs attribute. Each entry in this list is a subordinate reference and the object named by the entry is denominated a subordinate reference object. An object is a subordinate reference object if and only if it is in such a list. If a server has replicas of both an NC and its childNC, then the childNC root is the subordinate reference object, in the context of the parentNC. If the server does not have a replica of the childNC, then another object, with distinguishedName and objectGUID attributes equal to the childNC root, is present in the server and is the subordinate reference object.
tombstone: An object that has been deleted, but remains in storage until a configured amount of time (the tombstone lifetime) has passed, after which the object is permanently removed from storage. By keeping the tombstone in existence for the tombstone lifetime, the deleted state of the object is able to replicate. Tombstones exist only when the Recycle Binoptional feature is not enabled.
tombstone lifetime: The amount of time that a tombstone or recycled-object is kept in storage before it is permanently deleted.
Unicode: An industry standard representation for text and symbols from the world's writing systems. UTF-16 is a 16-bit, variable-width encoding of Unicode; UTF-8 is an 8-bit, variable-width encoding.
universal group: An Active Directory group that allows user objects, global groups, and universal groups from anywhere in the forest as members. A group objectG is a universal group if GROUP_TYPE_UNIVERSAL_GROUP is present in G's groupTypeattribute. A universal group contributes to the creation of security contexts if GROUP_TYPE_SECURITY_ENABLED is present in G's groupTypeattribute; in this case, the group is valid for inclusion within ACLs anywhere in the forest.
universally unique identifier (UUID): See GUID.
up-to-date vector: The representation of an assertion about the presence of originating updates from different sources in an NC replica. See replication cycle and update sequence number (USN).
update: An add, modify, or delete of one or more objects or attribute values. See originating update, replicated update.
user object: An object of classuser. A user object is a security principal object; the principal is a person or service entity. The shared secret allows the person or service entity to authenticate itself.
well-known endpoint: A network-specific address that is known between client and server instances. See also Endpoint. For more information, see [C706].
Windows error code: A 32-bit quantity where zero represents success and nonzero represents failure. Specific failure codes are documented in [MS-ERREF].
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as specified in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.