20 S

SAD: See security association database (SAD).

salt: An additional random quantity, specified as input to an encryption function that is used to increase the strength of the encryption.

sanitized name: The form of a certification authority (CA) name that is used in file names (such as for a certificate revocation list; see [MSFT-CRL] for more information) and in other contexts where character sets are restricted. The process of sanitizing the CA name is necessary to remove characters that are illegal for file names, registry key names, or distinguished name (DN) values, or that are illegal for technology-specific reasons.

SASL: The Simple Authentication and Security Layer, as specified in [RFC2222]. This is an authentication mechanism used by Lightweight Directory Access Protocol (LDAP).

schedule: The frequency at which data replicates.

schema: The set of attributes and object classes that govern the creation and update of objects.

schema container: The root object of the schema NC.

schema naming context (schema NC): A specific type of naming context (NC) or an instance of that type. A forest has a single schema NC, which is replicated to each domain controller (DC) in the forest. No other NC replicas can contain these objects. Each attribute and class in the forest's schema is represented as a corresponding object in the forest's schema NC.

schema object: An object that defines an attribute or an object class. Schema objects are contained in the schema naming context (NC).

scope of management (SOM): An Active Directory directory service site, domain, or organizational unit container. These containers contain user and computer accounts that can be managed through Group Policy. These SOMs are themselves associated with Group Policy objects (GPOs), and the accounts within them are considered by the Group Policy Protocol [MS-GPOL] to inherit that association.

scoped Group Policy object (GPO) distinguished name (DN): A Group Policy object (GPO) distinguished name (DN) where the set of "CN=<cn>" elements is prepended with "CN=User" for the user policy mode of Policy Application and with "CN=Machine" for computer policy mode.

scoped Group Policy object (GPO) path: A Group Policy object (GPO) path appended with "\User" for the user policy mode of policy application, and "\Machine" for the computer policy mode.

screen coordinates: Coordinates relative to the top-left corner of the screen, which is at (0,0).

SCSI logical unit number (LUN): See logical unit number (LUN).

SCSI port number: A number that uniquely identifies a port on a small computer system interface (SCSI) disk controller. Each SCSI disk controller may support multiple SCSI bus attachments or ports for connecting SCSI devices to a computer.

SD: See security descriptor.

secret key: A symmetric encryption key shared by two entities, such as between a user and the domain controller (DC), with a long lifetime. A password is a common example of a secret key. When used in a context that implies Kerberos only, a principal's secret key.

secret object: An element of the Local Security Authority (LSA) Policy Database, which contains a value that is secret in that access to it is strictly controlled through cryptographic protections and restrictive access control mechanisms.

sector: The smallest addressable unit of a disk.

secure channel: An authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets.

secure desktop: Only trusted processes running as SYSTEM are allowed to run on the secure desktop.

Secure/Multipurpose Internet Mail Extensions (S/MIME): A standard for encrypted and digitally signed electronic mail that allows users to send encrypted messages and authenticate received messages.

Secure Sockets Layer (SSL): A security protocol that supports confidentiality and integrity of messages in client and server applications communicating over open networks. SSL uses two keys to encrypt data—a public key known to everyone and a private or secret key known only to the recipient of the message. SSL supports server and, optionally, client authentication using X.509 certificates (for more information, see [X509]). The SSL protocol is precursor to Transport Layer Security (TLS). The TLS version 1.0 specification is based on SSL version 3.0.

security account manager (SAM) built-in database: A Microsoft-specific terminology for the part of the user account database containing account information (such as account names and passwords) for accounts and groups pre-created at the database installation.

security association (SA): A simplex "connection" that provides security services to the traffic carried by it. See [RFC4301] for more information.

security association database (SAD): A database containing parameters that are associated with each established (keyed) security association.

security context: (1) An abstract data structure containing authorization information for a particular security principal in the form of a collection of security identifiers (SIDs). One SID identifies the principal specifically, whereas others may represent other capabilities. A server uses the authorization information in a security context to check access to requested resources.

(2) An association of mutually established cryptographic keys with a key identifier.

security descriptor: A data structure containing the security information associated with a securable object. A security descriptor identifies an object's owner by its security identifier (SID).

If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. Applications use this structure to set and query an object's security status. The security descriptor is used to guard access to an object as well as control which type of auditing takes place when the object is accessed.

security identifier (SID): An identifier for security principals in Windows that is used to identify an account. Conceptually, the SID is composed of an account authority portion (typically a domain) and a smaller integer representing an identity relative to the account authority, termed the reference identifier (RID). The SID data type is defined in [MS-DTYP] section 2.4.2. For more information, see [MS-SECO].

security policy: In the form of a collection of security policy settings, the policy itself is an expression of administrative intent regarding how computers and resources on their network should be secured.

security policy database (SPD): A database specifying the policies that determine the disposition of all IP traffic inbound or outbound from a host or security gateway.

security policy settings: Contained in security policies, the policy settings are the actual expression of how various security-related parameters on the computer are to be configured.

security principal: (1) A unique entity identifiable through cryptographic means by at least one key. A security principal often corresponds to a human user but can also be a service offering a resource to other security principals. Sometimes referred to simply as a "principal."

(2) An identity that can be used to regulate access to resources, as specified in [MS-SECO]. A security principal can be a user, a computer, or a group that represents a set of users.

security principal name (SPN): The name identifying a security principal (for example, machinename$@domainname for a machine joined to a domain or username@domainname for a user). Domainname is resolved using the Domain Name System (DNS).

security principal object: An object that corresponds to a security principal. A security principal object contains an identifier, used by the system and applications to name the principal, and a secret shared only by the principal. In the Active Directory directory service, a security principal object has the objectSid attribute. In Active Directory, the user, computer, and group object classes are examples of security principal object classes (though not every group object is a security principal object).

security protocol: A protocol that performs authentication and possibly additional security services on a network.

security provider: A pluggable security module that is specified by the protocol layer above remote procedure call (RPC), and will cause RPC to use this module to secure messages in a communication session with the server. Sometimes referred to as an authentication service. For more information, see [C706] and [MS-RPCE].

security support provider (SSP): A dynamic-link library (DLL) that implements the Security Support Provider Interface (SSPI) by making one or more security packages available to applications. Each security package provides mappings between an application's SSPI function calls and an actual security model's functions. Security packages support security protocols such as Kerberos authentication and the Microsoft LAN Manager.

Security Support Provider Interface (SSPI): A Windows-specific API implementation that provides the means for connected applications to call one of several security providers to establish authenticated connections and to exchange data securely over those connections. This is the Windows equivalent of Generic Security Services (GSS)-API, and the two families of APIs are on-the-wire compatible.

security token: An opaque message or data packet produced by a Generic Security Services (GSS)-style authentication package, and carried by the application protocol. The application has no visibility into the contents of the token.

seed file or seed data: A file or files on the client used to supply data for reconstructing the source file. Remote differential compression (RDC) may use an arbitrary number of seed files in the process of copying a single source file. Sometimes called just "seed." Selecting seed files is implementation specific, but can be guided by using similarity traits.

selective single master: Replication mode, where changes from only a single machine propagate to other machines.

self-signed certificate: A certificate that is signed by its creator and verified using the public key contained in it. Such certificates are also termed root certificates.

semisynchronous operation: An operation executed on the server side while the client is regularly checking if there is no response available from the server.

sequence ID: A monotonically increasing 8-bit identifier for packets. This is typically represented as a field named bSeq in packet structures.

serial storage architecture (SSA) bus: Serial storage architecture (SSA) is a standard for high-speed access to high-capacity disk storage. An SSA bus is implemented to the SSA standard.

serialize: The process of taking an in-memory data structure, flat or otherwise, and turning it into a flat stream of bytes. See also, marshal.

server: (1) A computer on which the remote procedure call (RPC) server is executing.

(2) A replicating machine that sends replicated files to a partner (client). The term "server" alludes to the machine acting in response to requests from partners that want to receive replicated files.

server authentication: A mode of authentication in which only the server in the transaction proves its identity.

server challenge: A 64-bit nonce generated on the server side.

server Group Policy object (GPO) distinguished name (DN): A Group Policy object (GPO) distinguished name (DN) that uses a specific server in the Lightweight Directory Access Protocol (LDAP) path syntax, as specified in [RFC2251], where the server name is a domain controller (DC) that is located as specified in [MS-NRPC] section

server Group Policy object (GPO) path: A Group Policy object (GPO) path in which the Distributed File System (DFS) path contains a server name in the Distributed File System (DFS) path syntax and where the server name is a domain controller (DC).

server locator: Enables exporting of entries to remote procedure call (RPC) name service.

Server Message Block (SMB): A protocol used to request file and print services from server systems over a network. The SMB protocol extends the CIFS protocol with additional security, file, and disk management support. For more information, see [CIFS] and [MS-SMB].

Note  Whenever SMB is indicated, SMB2 can also be included (unless otherwise stated).

server object: A class of object in the Config NC. A server object can have an nTDSDSA object as a child.

server role: The state of a domain controller (DC), which can be one of two values—primary DC or backup DC.

server-scoped Group Policy object (GPO) distinguished name (DN): A Scoped Group Policy object (GPO) distinguished name (DN) with a server name included in the path, as is the case for a Server GPO DN.

server-scoped Group Policy object (GPO) path: A Group Policy object (GPO) path with a server name included in the path, as is the case for a Server GPO Path.

service: A process or agent available on the network, offering resources or services for clients. Examples of services include file servers, Web servers, and so on.

service account: A stored set of attributes representing a principal that provides a security context for services.

Service for User (S4U): Microsoft-specific extensions to the Kerberos protocol to allow a service to obtain a Kerberos service ticket for a user that has not authenticated to the key distribution center (KDC). S4U includes S4U2proxy and S4U2self.

Service for User to Proxy (S4U2proxy): An extension that allows a service to obtain a service ticket on behalf of a user to a different service.

Service for User to Self (S4U2self): An extension that allows a service to obtain a Kerberos service ticket to itself. The service ticket contains the user's groups and can therefore be used in authorization decisions.

service principal: An entity that represents a service at the key distribution center (KDC). The service principal has a name and an associated key. A subclass of principal, a service principal generally does not correspond to a human user of the system, but rather to an automated service providing a resource, such as a file server.

service principal name (SPN): The name by which a client uniquely identifies an instance of a service for mutual authentication. See [SPNNAMES] for more information about SPN format and composing a unique SPN. Also see [RFC1964], section 2.1.1.

service provider: A module that abstracts details of underlying transports for generic DirectPlay message transmission. Each DirectPlay message is transmitted by a DirectPlay service provider. The service providers that shipped with DirectPlay 4 are modem, serial, IPX, and TCP/IP.

service (SRV) resource record: A domain name system (DNS) resource record used to identify computers that host specific services, as specified in [RFC2782]. SRV resource records are used to locate domain controllers (DCs) for Active Directory.

service set identifier (SSID): A sequence of characters that names a wireless local area network (WLAN).

service ticket: A ticket for any service other than the ticket granting service (TGS). A service ticket serves only to classify a ticket as not a ticket-granting ticket (TGT) or cross-realm TGT, as specified in [RFC4120].


  1. In Kerberos, an active communication channel established through Kerberos that also has an associated cryptographic key, message counters, and other state.
  2. In Server Message Block (SMB), a persistent-state association between an SMB client and SMB server. A session is tied to the lifetime of the underlying NetBIOS or TCP connection.
  3. In Challenge-Handshake Authentication Protocol (CHAP), a session is a lasting connection between a peer and an authenticator.
  4. In the Workstation service, an authenticated connection between two computers.
  5. An active communication channel established through NT LAN Manager (NTLM), that also has an associated cryptographic key, message counters, and other state.
  6. In OleTx, a transport-level connection between a Transaction Manager and another Distributed Transaction participant over which multiplexed logical connections and messages flow. A session remains active so long as there are logical connections using it.

session key: A relatively short-lived symmetric key. (A cryptographic key negotiated by the client and the server based on a shared secret.) A session key's lifespan is bounded by the session to which it is associated. A session key should be strong enough to withstand cryptanalysis for the lifespan of the session.

session layer: The fifth layer in the Open Systems Interconnect (OSI) architectural model as defined by the International Organization for Standardization (ISO). The session layer is used for establishing a communication session, implementing security, and performing authentication. The session layer responds to service requests from the presentation layer and issues service requests to the transport layer.

Session Multiplex Protocol (SMUX): An entity on a network that implements the Secure Socket Tunneling Protocol (SSTP) and that listens for Secure Socket Tunneling Protocol (SSTP) connections over TCP port 443.

session security: The provision of message integrity and/or confidentiality to a session.

SHA-1 hash: A hashing algorithm as specified in [FIPS180-2] that was developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA).

shadow copy: A duplicate of data held on a volume at a well-defined instant in time.

share: A resource offered by a Common Internet File System (CIFS) server for access by CIFS clients over the network. A share typically represents a directory tree and its included files (referred to commonly as a "disk share" or "file share") or a printer (a "print share"). If the information about the share is saved in persistent store (for example, Windows registry) and reloaded when a file server is restarted, then the share is referred to as a "sticky share." Some share names are reserved for specific functions and are referred to as special shares:

  • IPC$, reserved for interprocess communication.
  • ADMIN$, reserved for remote administration.
  • A$, B$, C$ (and other local disk names followed by a dollar sign), assigned to local disk devices

share connect: The act of establishing authentication and shared state between a Common Internet File System (CIFS) server and client that allows a CIFS client to access a share offered by the CIFS server.

shell: Part of the Windows user interface (UI) that organizes and controls user access to a wide variety of objects necessary for running applications and managing the operating system. The most numerous are the folders and files that reside on computer storage media. There are also a number of virtual objects such as network printers and other computers. The shell organizes these objects into a hierarchical namespace, and provides an API to access them.

shell link: A data object that contains information used to access another object in the Shell's namespace—that is, any object visible through Windows Explorer. The types of objects that can be accessed through shell links include files, folders, disk drives, and printers. A shell link allows an application to access an object from anywhere in the namespace. The application does not need to know the current name and location of the object.

shell shortcut: A shell link that has a shortcut icon; however, the terms shell link and shell shortcut are often used interchangeably.

SID: See security identifier.

signal: In OleTx, the act of communicating an event between facets inside a transaction manager.

signature: A structure containing a hash and block chunk size. The hash field is 16 bytes, and the chunk size field is a 2 byte unsigned integer.

signature file: A file containing the signatures of another (source) file. There is a simple header that identifies the type of the file as a signature file, the size of the header itself, and the remote differential compression (RDC) library version number. Following the header are the signatures from the source file in the order they are generated from the chunks.

signing certificates: The certificate that represents the identity of an entity (for example, a certificate authority (CA), a Web server or an S/MIME mail author) and is used to verify signatures made by the private key of that entity. For more information, see [RFC3280].

similarity data: Information about a file that can be used to determine an appropriate seed file to select to reduce the amount of data transferred. Similarity data can be computed in any implementation-specific way.

similarity traits: Similarity data consists of one or more traits. Each trait summarizes an independent feature of a file. The features are computed by taking min-wise independent hash functions of a file's signatures. Similarity traits are used in selecting seed files.

Simple and Protected GSS-API Negotiation Mechanism (SPNEGO): An authentication mechanism that allows Generic Security Services (GSS) peers to determine whether their credentials support a common set of GSS-API security mechanisms, to negotiate different options within a given security mechanism or different options from several security mechanisms, to select a service, and to establish a security context among themselves using that service. SPNEGO is specified in [RFC4178].

Simple Mail Transfer Protocol (SMTP): A TCP/IP protocol used in sending and receiving e-mail.

simple volume: A volume whose data exists on a single partition.

single-instance storage (SIS): An NTFS feature that implements links with the semantics of copies for files stored on an NTFS volume. SIS uses copy-on-close to implement the copy semantics of its links.

single-phase commit: An optimization of the Two-Phase Commit Protocol in which a transaction manager delegates the right to decide the outcome of a transaction to its only subordinate participant. This optimization can result in an In Doubt outcome.

site: An Active Directory directory service term that defines a set of one or more TCP/IP subnets, where the subnets have high connectivity, as measured in terms of latency (low) and bandwidth (high). By defining sites (represented by site objects) an administrator can easily configure Active Directory access and replication topology to take advantage of the physical network. When users log on, Active Directory clients find domain controllers (DCs) that are in the same site as the user or are near the same site if there is no DC in the site. For more information, see [MS-ADTS].

site coverage: The set of sites for which a domain controller (DC) is responsible, as configured by the administrator.

site distinguished name (DN): The distinguished name for an object in Active Directory directory service that represents a site.

site object: An object of class site, representing a site.

site of domain controller (DC): The site object that is an ancestor of the DC's nTDSDSA object.

site settings object: For a given site with site object s, its site settings object o is the child of s such that o is of class nTDSSiteSettings and the RDN of o is CN=NTDS site settings.

SKU: See Stock Keeping Unit (SKU).

slow sync: The nominator for a synchronization sub-protocol used to perform a consistency check between the databases of two partners.

small computer system interface (SCSI) bus: A standard for connecting peripheral devices to a computer. A SCSI bus is an implementation of this standard.

smart card: A portable device that is shaped like a business card and is embedded with a memory chip and either a microprocessor or some non-programmable logic. Smart cards are often used as authentication tokens and for secure key storage. Smart cards used for secure key storage have the ability to perform cryptographic operations with the stored key without allowing the key itself to be read or otherwise extracted from the card.

SMB connection: A raw transport connection between a Server Message Block (SMB) client and SMB server. The SMB connection is assumed to provide reliable in-order message delivery semantics. An SMB connection can be established over any available SMB transport supported by both the SMB client and the SMB server. An SMB connection is sometimes referred to as a Virtual Connection, as specified in [CIFS].

SMB dialect: There are several different versions and subversions of the Server Message Block (SMB) Protocol. A particular version of the SMB protocol is referred to as an SMB dialect. Different SMB dialects can include both new SMB messages as well as changes to the fields and semantics of existing SMB messages used in other SMB dialects. When an SMB client connects to an SMB server, the client and server negotiate the SMB dialect to be used.

SMB session: An authenticated user connection established between an SMB client and an SMB server over an SMB connection. There can be multiple active SMB sessions over a single SMB connection. The Uid field in the SMB packet header distinguishes the various sessions.

SMTP: See Simple Mail Transfer Protocol (SMTP).

snapshot: The point in time at which a shadow copy of a volume is made.

SOAP: A lightweight protocol for exchanging structured information in a decentralized, distributed environment. SOAP uses XML technologies to define an extensible messaging framework, which provides a message construct that can be exchanged over a variety of underlying protocols. The framework has been designed to be independent of any particular programming model and other implementation-specific semantics.

SOAP action: The HTTP request header field used to indicate the intent of the SOAP request, using a URI value.

SOAP body: A container for the payload data being delivered by a SOAP message to its recipient.

SOAP envelope: A container for SOAP message information and the root element of a SOAP document.

SOAP fault: A container for error and status information within a SOAP message.

SOAP fault code: The algorithmic mechanism for identifying a SOAP fault.

SOAP fault detail: A string containing a human-readable explanation of a SOAP fault, which is not intended for algorithmic processing.

SOAP header: A mechanism for implementing extensions to a SOAP message in a decentralized manner without prior agreement between the communicating parties.

SOAP header block: The XML block containing the SOAP header entries within a SOAP header.

SOAP message: An XML document consisting of a mandatory SOAP envelope, an optional SOAP header, and a mandatory SOAP body.

SOAP mustUnderstand attribute: A global, Boolean attribute that is used to indicate whether a header entry is mandatory or optional for the recipient to process.

software installation package: A file that describes other files and metadata necessary to describe an application's executable files and state and to install that application. Also referred to as a "package."

software installation package modification: A file that allows an administrator to specify configuration for an application that is installed on the client through a software installation package.

software maintenance utility: An application that allows users to perform software management activities such as installation, uninstallation, or inventory of applications available through the software installation extension.

software package container distinguished name (DN): A DN of the form "CN=Packages,<ClassStore>" where <ClassStore> is a Class Store Container DN.

software package distinguished name (DN): A DN of the form "CN=<SoftwarePackageId>,CN=Packages,<ClassStore>", where <ClassStore> is a Class Store Container DN and <SoftwarePackageId> is a Curly Braced GUID String.

software scripts path: A file system path to a directory with a path of the form "<ScopedGPOPath>\Applications", where <ScopedGPOPath> is a Scoped GPO path.

source file, source data: A file on a server that is to be copied by remote differential compression (RDC). Sometimes referred to as "source."

sparse file: A file that has regions of data containing all zeros and in which some of the zero regions do not have disk space allocated for them.

SPD: See security policy database.

SPN: See service principal name.

spool file: A representation of application content data than can be processed by a print driver. Common examples are enhanced metafile format and XML paper specification. For more information, see [MSDN-META] and [MSDN-XMLP].

SSL: See Secure Sockets Layer (SSL).

SSL/TLS handshake: The process of negotiating and establishing a connection protected by SSL or TLS. For more information, see [SSL3] and [RFC2246].

staging file: The backup of the changed file or folder. It encapsulates the data and attributes associated with a replicated file or folder. By creating the staging file, File Replication Service (FRS) ensures that file data can be supplied to partners regardless of any activity that might prevent access to the original file. The staging files can be compressed to save disk space and network bandwidth during replication.

stamp: Information describing an originating update by a domain controller (DC). The stamp is not the new data value; the stamp is information about the update that created the new data value. A stamp is often called metadata, because it is additional information that "talks about" the conventional data values. A stamp contains the following pieces of information: the unique identifier of the DC that made the originating update, a sequence number characterizing the order of this change relative to other changes made at the originating DC, a version number identifying the number of times the data value has been modified, and the time when the change occurred.

standalone CA: A certificate authority (CA) that is not a member of a domain. For more information, see [MSFT-PKI].

standalone machine: A machine that is not a domain member or a domain controller (DC).

standard user: A user that does not have administrative rights defined in its token and is a member of the users group. Users are prevented from making accidental or intentional system-wide changes but can perform normal daily computer tasks.

state machine: A model of computing behavior composed of a specified number of states, transitions between those states, and actions to be taken. A state stores information about past transactions as it reflects input changes from the startup of the system to the present moment. A transition (such as connecting a network share) indicates a state change and is described by a condition that would need to be fulfilled to enable the transition. An action is a description of an activity that is to be performed at a given moment.

There are several action types:

  • Entry action: Performed when entering the state.
  • Exit action: Performed when exiting the state.
  • Input action: Performed based on the present state, and input conditions.
  • Transition action: Performed when executing a certain state transition.

statement of health (SoH): A collection of data generated by a system health entity, as specified in [MS-SOH], which defines the health state of a machine. The data is interpreted by a Health Policy Server, which determines whether the machine is healthy or unhealthy according to the policies defined by an administrator.

statement of health (SoH) client: A synonym for system health entity.

statement of health response (SoHR): A collection of data that represents the evaluation of the statement of health (SoH) according to network policies, as specified in [MS-SOH].

station (STA): Any device that contains an IEEE 802.11 conformant medium access control and physical layer (PHY) interface to the wireless medium (WM).

station management entity (SME): In general, a station management entity (SME) is regarded as responsible for functions such as the gathering of layer-dependent status from the various layer management entities and setting the value of layer-specific parameters. An SME would typically perform such functions on behalf of general system management entities and would implement standard management protocols.

Stock Keeping Unit (SKU): A unique code that refers to a particular manufactured object or source of revenue. An SKU can refer to a retail product (software in a box that is sold through a channel), a subscription program (such as MSDN), or an online service (such as MSN).

Stored Procedure: A function/method that predefines a set of T-SQL commands that resides in a database server and is available to be called by client applications.

StoreMaster: The single agent responsible for performing certain updates to file-link information stored in VolumeTable and FileTable within an Active Directory Table (ADT). For more information on VolumeTable and FileTable, see [MSDLT].

stream: A sequence of bytes written to a file on the NTFS file system. Every file stored on a volume that uses the NTFS file system contains at least one stream, which is normally used to store the primary contents of the file. Additional streams within the file may be used to store file attributes, application parameters, or other information specific to that file. Every file has a default data stream, which is unnamed by default. That data stream, and any other data stream associated with a file, may optionally be named.

strict NDR/NDR64 data consistency check: A set of related rules for data validation during processing of an octet stream.

structural class: See Structural Object Class.

structural object class: An object class that is not an 88 object class and can be instantiated to create a new object.

subkey: A child node in the logical tree of the hierarchical data store.

subnet site: The association of a site with a particular client, based on the client's IP address.

subordinate transaction manager: A role taken by a transaction manager that is responsible for voting on the outcome of an atomic transaction. A subordinate transaction manager coordinates the voting and notification of its subordinate participants on behalf of its superior transaction manager. When communicating with those subordinate participants, the subordinate transaction manager acts in the role of superior transaction manager. The root transaction manager is never a subordinate transaction manager. A subordinate transaction manager has exactly one superior transaction manager.

SubRequest: A request within a SYNC_VOLUME or SEARCH request.

successor channel: In the context of IN channel recycling or OUT channel recycling, the next IN channel or OUT channel in the sequence of channels forming a virtual IN channel or virtual OUT channel (N+1 where N represents the reference point in the sequence).

successor inbound proxy: An inbound proxy to which a successor channel is established.

successor outbound proxy: An outbound proxy to which a successor channel is established.

superclasses and subclasses: Types of common Information Model (CIM) classes. A subclass is derived from a superclass. The subclasses inherit all features of its superclass but can add new features or redefine existing ones. A superclass is the CIM class from which a CIM class inherits.

superior transaction manager: A role taken by a transaction manager that is responsible for gathering outcome votes and providing the final transaction outcome. A root transaction manager can act as a superior transaction manager to a number of subordinate transaction managers. A transaction manager can act as both a subordinate transaction manager and a superior transaction manager on the same transaction.

symmetric algorithm: A cryptographic algorithm that uses one secret key that may be shared between authorized parties. The key must be kept secret between communicating parties. The same key is used for both encryption and decryption. For an introduction to this concept and terminology, see section 1.5 in [CRYPTO], section 3 in [IEEE1363], and section 3.1 in [SP800-56A].

symmetric encryption: An encryption method that uses the same cryptographic key to encrypt and decrypt a given message.

symmetric key: A secret key used with a cryptographic symmetric algorithm. The key needs to be known to all communicating parties. For an introduction to this concept, see section 1.5 in [CRYPTO].

synchronous operation: An operation that is executed on the server side while the client is waiting for the response message.

syntax: See attribute syntax.

system access control list (SACL): An access control list (ACL) that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators.

system command: A message sent to a window or notification icon via its system menu, or via a keyboard shortcut. Common system commands include minimize, maximize, move, and so on.

system directory: A directory containing system files comprising the operating system.

system health entity: The entity on a machine that can generate a statement of health (SoH) for the machine and consume the corresponding statement of health response (SoHR).

System menu: See Window menu.

system partition: A partition that contains the boot loader needed to invoke the operating system on the boot partition. A system partition must also be an active partition. It can but is not required to be the same partition as the boot partition.

system volume (SYSVOL): A shared directory that stores the server copy of the domain's public files that must be shared for common access and replication throughout a domain.