The following terms are defined in [MS-GLOS]:
Distinguished Name (DN)
Domain Controller (DC)
Domain Member (member machine)
Domain Naming Context (domain NC)
Domain Name System (DNS)
Fully Qualified Domain Name (FQDN) (1) (2)
Lightweight Directory Access Protocol (LDAP)
Naming Context (NC)
Read-Only Domain Controller (RODC)
Security Account Manager (SAM) built-in database
Security Identifier (SID)
Server Message Block (SMB)
Service Resource Record (SRV)
The following terms are defined in [MS-ADTS]:
Active Directory Domain Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
Filtered Attribute Set
The following terms are defined in [MS-NRPC]:
The following terms are specific to this document:
Account: A synonym for security principal or principal.
Account Database: The portion of the directory that maintains the accounts for the principals of the domain. In Windows NT-4 style domains, the account database includes all information in the NT domain; in AD-style domains, the account database contains a subset of the entire LDAP-accessible directory the AD-style domain hosts.
AD-Style Domain: A domain comprising Windows 2000 Server, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 server computers. AD-style domains implement Active Directory (AD), LDAP, Kerberos authentication, and advanced configurations and features not supported in NT 4-style domains.
Client: Synonym for client computer.
Client Computer: A computer that is not a domain controller server; the computer may or may not be joined to a domain.
directory string: A string syntax specified in [RFC2252] section 6.10.
Domain Client: A client computer that is joined to a domain. The domain client can be a client or a server that offers other services to its clients. When the domain client acts as a supplicant to another domain client, the supplicant is referred to as a domain client in a workstation role and the latter as a domain client in a server role.
Domain Client in a Client Role: A domain member that acts as a supplicant to another domain client.
Domain Client in a Workstation Role: A domain member that offers other services to other domain clients.
Domain Controller Server: A domain member, which can be a client or a server that offers other services to its clients. When the domain client acts as a supplicant to another domain client, the supplicant is referred to as a domain client in a workstation role and the latter as a domain client in a server role.
Identity: An account that represents a person (user account), an application (service account), and computers that participate in the domain (machine accounts). A password is used by the system as proof of an identity.
Member Server: A server that is joined to a domain and is not a domain controller. Member servers typically function as file servers, application servers, and so on and defer user authentication to the domain controller.
Predefined Account: A machine account created in the directory by a domain administrator before a machine is associated with the account during domain join (see section 6).
Principal: A synonym of security principal.
Server: A domain controller. Used as a synonym for domain controller in this document.
Single Sign-On: A process that enables a user with a domain account to log on to a network once and gain access to all network resources.
Security Principal: An entity associated with a human user or a program that can be authenticated. At a minimum, it has two basic attributes, a name and an identifier, that uniquely identifies it and makes it meaningful to the system, administrators, and users. A security principal is also known as a principal or an account.
Trusted Third Party: A trusted third party issues signed statements to stated parties enabling those stated parties to act on another identity's behalf for a certain amount of time. It is trusted to perform a set of specialized functions, such as a security token service that provides authentication and single sign-on services to Web services. ([MSDN-SUBSYSDSGN]). As a trusted authentication service on the network, this service knows all passwords and can grant access to any server. It is convenient, but also the single point of failure and requires a high level of physical security. For the Kerberos authentication protocol, the trusted third party arbitrator is a server known as a Key Distribution Center (KDC) which runs the Kerberos daemons.
Windows NT-4 Style Domain: A domain comprised of Windows NT 4.0 servers with an account database that includes all the information in the domain. Windows NT 4.0 style domains do not implement Active Directory (AD), LDAP directories or Kerberos authentication.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. Note that in [RFC2119] terms, most of these specifications should be imperative, to ensure interoperability. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
Any specification that does not explicitly use one of these terms is mandatory, exactly as if it used MUST.