DACL: See discretionary access control list (DACL).
Data Encryption Standard (DES): A specification for encryption of computer data that uses a 56-bit key developed by IBM and adopted by the U.S. government as a standard in 1976.
data recovery agent (DRA): A logical entity corresponding to an asymmetric key pair, which is configured as part of Encrypting File System (EFS) administrative policy by an administrator. Whenever an EFS file is created or modified, it is also automatically configured to give authorized access to all DRAs in effect at that time.
database: (1) For the purposes of the Netlogon RPC, a database is a collection of user accounts, machine accounts, aliases, groups, and policies, managed by a component. The database, or the component managing the database, must expose a mechanism to enable Netlogon to gather changes from and apply changes to the database. Additionally, it must export a database serial number in order to track changes for efficient replication.
(2) In Distributed File System Replication (DFS-R), the database maintained by Microsoft's implementation of DFS-R maintains the local version chain vector and one record for each resource that is tracked, including tombstones for deleted resources, such that deletion of files can be propagated in a timely fashion.
database object: A representation of a named set of attribute value pairs that a protocol exposes.
database serial number: A numeric value incremented each time a database transaction is applied to the database.
datagram: A style of communication offered by a network transport protocol where each message is contained within a single network packet. In this style, there is no requirement for establishing a session prior to communication, as opposed to a connection-oriented style.
DAV: See Distributed Authoring and Versioning.
DC: See domain controller.
DC in site x: A domain controller (DC) such that the site of the DC is x.
decryption: In cryptography, the process of transforming encrypted information to its original clear text form.
delta time: A negative FILETIME. It represents a period of time, expressed in a negative number of 100-nanosecond time slices. For example, a period of 20 minutes is represented as -12000000000.
deserialize: See unmarshal.
desktop switch: The act of switching from one user desktop to another, or to the Windows Secure Desktop.
device: Any peripheral or part of a computer system that can send or receive data.
device driver: The software that the system uses to communicate with a device such as a display, printer, mouse, or communications adapter. It is often referred to simply as a "driver."
DFS: See Distributed File System (DFS).
dictionary attack: A technique for defeating an authentication mechanism by systematically searching through a large number of possibilities to deduce shared secrets.
differentiated services code point (DSCP): A value in an IPv4 or IPv6 header used to select a particular set of quality-of-service behavior, as specified in [RFC2474] section 3.
digest: The fixed-length output string from a one-way hash function that takes a variable-length input string and is probabilistically unique for every different input string.
digital certificate: See the "digital certificate definition standard" as specified in [X509].
digital fingerprint: See hash function.
digital signature: (1) A message authenticator typically derived from a cryptographic operation using an asymmetric algorithm and private key. When a symmetric algorithm is used for this purpose, the authenticator is typically called a Message Authentication Code (MAC).
(2) A value generated using a digital signature algorithm, taking as input a private key and an arbitrary-length string, such that a particular verification algorithm is satisfied by the value, the input string, and the public key corresponding to the input private key. For more information, see [SCHNEIER], chapters 2 and 20.
directory: The database that stores information about objects such as users, groups, computers, printers, and the directory service that makes this information available to users and applications.
directory service (DS): A service that stores and organizes information about a computer network's users and network shares, and that allows network administrators to manage users' access to the shares.
DirectPlay: A network communication library included with the Microsoft DirectX application programming interfaces. DirectPlay is a high-level software interface between applications and communication services that makes it easy to connect games over the Internet, a modem link, or a network.
DirectPlay protocol: Refers to either the DirectPlay 4 or DirectPlay 8 protocol.
DirectPlay 4: A programming library that implements the IDirectPlay4 programming interface. DirectPlay 4 provides peer-to-peer session-layer services to applications, including session lifetime management, data management, and media abstraction. DirectPlay 4 first shipped with the DirectX 6 multimedia toolkit. Later versions continued to ship up to, and including, DirectX 9. DirectPlay 4 was subsequently deprecated. The DirectPlay 4 DLL continues to ship in current versions of Windows operating systems, but the development library is no longer shipping in Microsoft development tools and Software Development Kits (SDKs).
DirectPlay 4 protocol: The DirectPlay 4 protocol is used by multiplayer games to perform low latency communication between two or more computers.
DirectPlay 8: A programming library that implements the IDirectPlay8 programming interface. DirectPlay 8 provides peer-to-peer session-layer services to applications, including session lifetime management, data management, and media abstraction. DirectPlay 8 first shipped with the DirectX 8 software development toolkit. Later versions continued to ship up to, and including, DirectX 9. DirectPlay 8 was subsequently deprecated. The DirectPlay 8 DLL continues to ship in current versions of Windows operating systems, but the development library is no longer shipping in Microsoft development tools and Software Development Kits (SDKs).
DirectPlay 8 application: A software process that communicates with one or more software processes over a communications network by using the DirectPlay 8 family of protocols.
DirectPlay 8 client application: A DirectPlay 8 application seeking to connect to another DirectPlay 8 application that is hosting a DirectPlay 8 session. When connected, the actual communication between nodes in a DirectPlay 8 session may be client/server or peer to peer. The term "client" in this definition is meant to indicate the role that the DirectPlay 8 client application is taking in the host enumeration process, which is the DirectPlay 8 application that is seeking to find and connect to a host of a DirectPlay 8 session.
DirectPlay 8 Protocol: The DirectPlay 8 Protocol is used by multiplayer games to perform low latency communication between two or more computers.
DirectPlay 8 server application: A DirectPlay 8 application that is hosting a DirectPlay 8 session. When connected, the actual communication between nodes in a DirectPlay 8 session may be client/server or peer to peer. The term "server" in this definition is meant to indicate the role that the DirectPlay 8 server application is taking in the host enumeration process, which is the DirectPlay 8 application that is currently hosting a DirectPlay 8 session.
DirectPlay 8 service provider: A service provider that may be implemented on top of the DirectPlay 8 Protocol , as specified in the DirectPlay 8 Protocol: Core and Service Providers Specification . When a message is passed through for processing, the protocol interacts directly with the DirectPlay 8 Service Provider.
DirectPlay Name Server (DPNSVR): A forwarding service for enumeration requests that eliminates problems caused by conflicts between port usages for multiple DirectPlay applications.
DirectX: Microsoft DirectX is a collection of application programming interfaces for handling tasks related to multimedia, especially game programming and video, on Microsoft platforms.
DirectX Diagnostic (DXDiag): DXDiag.exe is a diagnostic utility included with Windows that is used to test Microsoft DirectX functionality, including DirectPlay traffic .
DirectX runtime: A set of libraries created for the family of Windows operating systems that provide interfaces to ease the development of video games.
DirectX Software Development Kit (DirectX SDK): A set of libraries, called the DirectX runtime, and supporting infrastructure for building applications for those libraries.
discretionary access control list (DACL): An access control list (ACL) that is controlled by the owner of an object and that specifies the access that particular users or groups can have to the object.
disk: A persistent storage device that can include physical hard disks, removable disk units, optical drive units, and logical unit numbers (LUNs) unmasked to the system.
disk adapter: Computer hardware that controls a disk.
disk adapter name: A string of characters returned by a disk adapter. This string of characters is provided by the vendor of the disk adapter and identifies the adapter make or model.
disk block: A logical unit consisting of a fixed number of contiguous sectors. Block sizes range from 512 bytes to several kilobytes.
disk controller: Computer hardware that controls a disk.
disk encapsulation: The process of converting a basic disk to a dynamic disk. Encapsulating a disk lays down disk metadata used for managing the disk dynamically.
disk extent: A contiguous set of one or more disk sectors. A disk extent may be used as a partition or part of a volume, or it may be free, which indicates that it is not in use, or that it may be unusable for creating partitions or volumes.
disk geometry: The disk's three-dimensional address space: a sector address consists of a cylinder number, the track number within the cylinder, and the sector number on that track.
disk group: In the context of dynamic disks, this term describes a logical grouping of disks.
disk group import: The act of merging a set of disks belonging to one disk group into another set of disks belonging to a second disk group. The result is a single disk group that includes all disks involved in the import.
disk group name: A unique string of characters used to identify a disk group.
Disk Management Remote Protocol: The protocol used to configure disks and volumes in Windows 2000 and Windows XP. For more information, see [MS-DMRP].
disk modification sequence number: See modification sequence number.
disk pack: See disk group.
disk platter: A circular disk on which magnetic data is stored. A hard disk drive consists of several platters mounted onto a spindle that spins the disks for a magnetic head to read and write.
disk regions: See disk extent.
disk signature: A unique identifier for a disk. For a master boot record (MBR)-formatted disk, this identifier is a 4-byte value stored at the end of the MBR, which is located in sector 0 on the disk. For a GUID partitioning table (GPT)-formatted disk, this value is a GUID stored in the GPT disk header at the beginning of the disk.
disk type: A disk that is hardware-specific. A disk can only communicate with the CPU using a bus of matching type. Examples of bus types include SCSI, USB, and 1394.
disk vendor name: A string of characters returned by a disk that identifies the disk maker.
distinguished name (DN): (1) A name that uniquely identifies an object by using the relative distinguished name (RDN) for the object, plus the names of container objects and domains that contain the object. The DN identifies the object as well as its location in a tree.
(3) In X.500, the globally unique name string that identifies an entity in an X.500 directory, as specified in [X500]. The DN consists of several components and is used in X.509 certificates to identify the subject and issuer principals, as specified in [X509].
(4) In Lightweight Directory Access Protocol (LDAP), an LDAP DN, as specified in [RFC2251]. The DN of an object is the DN of its parent, preceded by the RDN of the object. For example: CN=David Thompson, OF=Users, DC=Microsoft, DC=COM.
Distributed Authoring and Versioning (DAV): A series of extensions to HTTP that define how basic file functions such as copy, move, delete, and create folder are performed across HTTP.
Distributed Component Object Model (DCOM): The Microsoft Component Object Model (COM) specification that defines how components communicate over networks, as specified in [MS-DCOM].
Distributed File System (DFS): A file system that logically groups physical shared folders located on different servers by transparently connecting them to one or more hierarchical namespaces. DFS also provides fault-tolerance and load-sharing capabilities. DFS refers to the Microsoft DFS available in Windows Server platforms.
Distributed File System (DFS) client: A computer used to access a DFS namespace. It also can refer to the DFS software on a client that accesses the DFS namespace.
Distributed File System (DFS) client target failback: An optional feature that, when enabled, permits a DFS client to revert to a more optimal DFS target at an appropriate time after a DFS client target failover. The term "failback" refers to DFS client target failback. The DFS Referral Protocol, as specified in [MS-DFSC], describes the mechanisms by which a DFS server provides a list of DFS targets in decreasing order of optimality to the client.
Distributed File System (DFS) client target failover: When a DFS referral response has multiple targets, a DFS client attempts to find the first target that is both available and accessible. If the first DFS target in the list is not available or accessible, the DFS client determines whether the next target in the list is available and accessible. The client repeats this process until an available and accessible target is found or no more targets are left in the list of targets. DFS clients support DFS client target failover only for operations involving pathnames. In this specification, the term "failover" refers to DFS client target failover.
Distributed File System (DFS) in-site referral mode: A mode in which DFS root or DFS link referral requests to a DFS server result in DFS referral responses with only those DFS targets in the same Active Directory Domain Services (AD DS) site as the DFS client requesting the DFS referral. When this mode is disabled, there is no restriction on the AD DS site of the targets returned in the referral response. This can be enabled per DFS namespace. If there are no DFS targets in the same AD DS site as the client, the DFS referral response may be empty.
Distributed File System (DFS) interlink: A special form of DFS link whose link target is a DFS domain-based namespace.
Distributed File System (DFS) link: A component in a DFS path that lies below the DFS root and maps to one or more DFS link targets. Also interchangeably used to refer to a DFS path that contains the DFS link.
Distributed File System (DFS) metadata: Information about a Distributed File System (DFS) namespace such as namespace name, DFS links, DFS link targets, and so on, that is maintained by a DFS server. For domain-based DFS, the metadata is stored in an Active Directory Domain Services (AD DS) object corresponding to the DFS namespace. For a stand-alone DFS namespace, the DFS root target stores the DFS metadata in an implementation-defined manner, for example, in the registry.
Distributed File System (DFS) namespace: A virtual view of shares on different servers as provided by DFS. Each file in the namespace has a logical name and a corresponding address (path). A DFS namespace consists of a root and many links and targets. The namespace starts with a root that maps to one or more root targets. Below the root are links that map to their own targets.
Distributed File System (DFS) namespace, clustered: A standalone DFS namespace, which is hosted on a file server cluster.
Distributed File System (DFS) namespace, domain-based: A DFS namespace that has configuration information stored in the Active Directory directory service. The DFS namespace may span over a distributed system that is organized hierarchically into logical domains, each with a domain controller (DC). The path to access the root or a link starts with the host domain name. A domain-based DFS root can have multiple root targets, which offers fault tolerance and load sharing at the root level.
Distributed File System (DFS) namespace, standalone: A DFS namespace that has metadata stored locally on the host server. The path to access the root or a link starts with the host server name. A stand-alone DFS root has only one root target. Stand-alone roots are not fault-tolerant; when the root target is unavailable, the entire DFS namespace is inaccessible. Stand-alone DFS roots can be made fault tolerant by creating them on clustered file servers.
Distributed File System (DFS) path: Any Universal Naming Convention (UNC) path that starts with a DFS root and is used for accessing a file or directory in a DFS namespace.
Distributed File System (DFS) referral: A DFS client issues a DFS referral request to a DFS root target or a DC, depending on the DFS path accessed, to resolve a DFS root to a set of DFS root targets, or a DFS link to a set of DFS link targets. The DFS client uses the referral request process as needed to finally identify the actual share on a server that has accessed the leaf component of the DFS path. The request for a DFS referral is referred to as DFS referral request, and the response for such a request is referred to as DFS referral response.
Distributed File System (DFS) referral request: The request for a DFS referral.
Distributed File System (DFS) referral response: The response to a Distributed File System (DFS) referral request.
Distributed File System (DFS) referral site costing: When appropriately enabled for a DFS namespace, an optional feature that results in a DFS referral response. In the referral response, targets are grouped into sets based on increasing Active Directory Domain Services (AD DS) site cost from the DFS client that is requesting the referral to the DFS target server. When this feature is disabled, the referral response consists of at most two target sets: one set consisting of all DFS targets in the same Active Directory Domain Services (AD DS) site as the DFS client, and the other set consisting of DFS targets that are not in the same Active Directory Domain Services (AD DS) site as the DFS client.
Distributed File System (DFS) root: The starting point of the DFS namespace. The root is often used to refer to the namespace as a whole. A DFS root maps to one or more root targets, each of which corresponds to a share on a separate server. A DFS root has one of the following formats:
where <ServerName> is the name of the root target server hosting the DFS namespace; <DomainName> is the name of the domain that hosts the DFS root; and is <RootName> is the name of the root of a domain-based DFS.
The DFS root must reside on an NTFS volume.
Distributed File System (DFS) root scalability mode: Domain-based DFS root targets normally poll the primary domain controller (PDC) to check for any change in the DFS metadata of a DFS namespace. When the DFS server on a DFS root target supports this mode, and it is enabled for a DFS namespace, the DFS server instead polls a domain controller (DC) closer to it in terms of Active Directory Domain Services (AD DS) site cost.
Distributed File System (DFS) root target: A server that hosts a DFS root of a DFS namespace. A domain-based DFS namespace can have multiple DFS root targets; a standalone DFS namespace can have only one DFS root target.
Distributed File System Remote Procedure Call (DFS-RPC): The remote procedure call (RPC) interfaces and methods that make up the Microsoft Distributed File System, Server-To-Server Protocol.
Distributed File System Replication (DFS-R): A service that keeps DFS folders in sync automatically. DFS-R is a state-based, multi-master replication system that supports replication scheduling and bandwidth throttling. This is a re-write and new version of File Replication Service (FRS). For more information, see [MS-FRS2].
Distributed Link Tracking (DLT): A protocol that enables client applications to track sources that have been sent to remote locations using remote procedure call (RPC) interfaces, and to maintain links to files. It exposes methods that belong to two interfaces, one of which exists on the server (trksvr) and the other on a workstation (trkwks).
Distributed Transaction Coordinator (DTC): A Windows service that coordinates transactions across multiple databases.
DLT: See Distributed Link Tracking (DLT).
DN: See distinguished name (DN).
DNS: See Domain Name System (DNS).
domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller and host a member list that identifies all members of the domain, as well as optionally a more general directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members.
domain account: A stored set of attributes representing a principal used to authenticate a user or machine to an Active Directory domain.
domain controller (DC): A general-purpose network directory service that maintains a database of network objects.
domain controller account object: An object in the directory that represents the computer in the role of a domain controller (DC). A DC account is an object O in the default naming context (NC) replica of a server such that O is of class computer and (O.userAccountControl and ADS_UF_SERVER_TRUST_ACCOUNT ¹0).
domain controller locator: A function within a domain that provides for location of a domain controller (DC) and the ability to determine certain properties of DCs. For more information, see [MS-ADTS].
domain controllers (DCs): A well-known set of machines that host domain-wide information.
domain database: A database where security principal information is stored. This database is the directory service Active Directory in the case of a domain controller (DC) running on a Windows machine. On a Windows machine that is not a DC, this database is a local database, manageable through Security Accounts Manager Remote Protocol, as specified in [MS-SAMR].
domain local group: A security group that is only valid for inclusion within access control lists (ACLs) from its own domain. Its membership may include users, global groups, and universal groups from any domain. It may additionally include, and be a member of, other domain local groups from within its domains.
domain master browser: A server responsible for combining information for an entire domain, across all subnets.
domain master browser server: A master browser server that is responsible for combining information for an entire domain, across all subnets. A domain master browser server is responsible for keeping multiple subnets in synchronization by periodically querying local master browser servers for information concerning user accounts, security, and available resources such as printers.
domain member (member machine): A machine that is joined to a domain by sharing a secret between the machine and the domain.
domain name: The name given by an administrator to a collection of networked computers that share a common directory. Part of the domain naming service naming structure, domain names consist of a sequence of name labels separated by periods.
Domain Name System (DNS): A hierarchical, distributed database that contains mappings of domain names to various types of data, such as IP addresses. DNS enables the location of computers and services by user-friendly names, and it also enables the discovery of other information stored in the database. See also, Domain Naming Service Name.
domain naming context (domain NC): (1) A partition of the directory that contains information about the domain and is replicated with other domain controllers (DCs) in the same domain.
The distinguished name (DN) of a domain NC takes the form
dc=n1,dc=n2, ... dc=nk
where each ni satisfies the syntactic requirements of a DNS name component. For more information, see [RFC1034]. Such a DN corresponds to the domain naming service name
n1. n2. ... .nk
This is the domain naming service name of the domain NC.
domain object: 1. A unit of data storage in a domain maintained and made available to domain members by a domain controller (DC). 2. A database object that represents an issuing authority as specified in [MS-SECO], section 2.2. An account is said to be "in" a particular domain if the domain prefix of its security identifier (SID) is the SID of the particular domain.
domain of interpretation (DOI): A domain that defines the manner in which a group of protocols uses the ISAKMP (as specified in [RFC2408]) framework to negotiate security associations (SAs) (for example, identifiers for cryptographic algorithms, interpretation of payload contents, and so on). For example, the Internet Protocol security (IPsec) DOI (as specified in [RFC2407]) defines the use of the ISAKMP framework for protocols that negotiate main mode (MM) and quick mode (QM)security associations (SAs). Both Internet Key Exchange (IKE) and AuthIP fall under the IPsec DOI.
domain tree: A set of domains that are arranged hierarchically, typically following an accompanying DNS hierarchy, with trusts between parents and children. An example domain tree might be a.example.com, b.example.com, and example.com; domain A and domain B each trust example.com, but do not trust each other directly. They will have a transitive trust relationship through example.com.
domain trust relationship: A relationship in which one domain trusts the directory information stored in another domain. The domain that does the trusting is called the "trusting domain," while the domain that contains the information being trusted is called the "trusted domain."
domain user: A user with an account in the domain's user account database.
downlevel trust: A trust in which one of the peers is running Windows NT 4.0.
downstream partner: The partner that receives change orders, files, and folders.
DPNID: A 32-bit identification value assigned to a DirectPlay player as part of its participation in a DirectPlay game session.
drive: See volume.
drive letter: One of the 26 alphabetical characters A-Z, in uppercase or lowercase, that is assigned to a volume. Drive letters serve as a namespace through which data on the volume can be accessed. A volume with a drive letter can be referred to with the drive letter followed by a colon (for example, C:).
drive path: See mounted folder.
driver package: A collection of the files needed to successfully load the driver. This includes the device information (.inf) file, the catalog file, and all of the binaries that are copied by the .inf file.
driver store: A secure location on the local hard disk where the entire driver package is copied.
dsname: (1) A tuple that contains between one and three identifiers for an object. The term dsname does not stand for anything. The possible identifiers are the object's GUID (attribute objectGuid), security identifier (SID) (attribute objectSid) and distinguished name (DN) (attribute distinguishedName). A dsname can appear in a protocol message and as an attribute value (for example, a value of an attribute with syntax Object(DS-DN)).
(2) A dsname is a field 3-tuple:
dn: distinguished name (DN)
A dsname can appear in a protocol message and as a value of an attribute. In either context, it identifies an object. If all three fields are null, the dsname is null.
As a value of an attribute, a dsname always contains a non-null GUID and DN, and sometimes contains a non-null SID. Such a dsname n refers to the unique object o such that o.objectGuid = n.guid. The SID and DN are not used for identification in this case.
As a value within a protocol message, a non-null dsname n refers to:
1. If n.guid ≠ null, the unique object o such that o.objectGuid = n.guid (failing if no such object); otherwise
2. If n.dn ≠ null, the unique object o such that o.distinguishedName = n.dn (failing if no such object); otherwise
3. The unique object o such that o.objectSid = n.sid.
Note that the SID is used only if no other part of the dsname is specified.
If o is an object, the function dsname(o) equals [o.objectGuid, o.objectSid, o.distinguishedName].
dynamic disk: A disk on which volumes may be composed of more than one partition on disks of the same pack, as opposed to basic disks where a partition and a volume are equivalent.
dynamic endpoint: A network-specific server address that is requested and assigned at run time. For more information, see [C706].
Dynamic Host Configuration Protocol (DHCP) client: An Internet host using DHCP to obtain configuration parameters such as network addresses.
Dynamic Host Configuration Protocol (DHCP) scope: The full consecutive range of possible IP addresses for a network. Scopes typically define a single physical subnet on a network to which DHCP services are offered. Scopes also provide the primary way for the server to manage distribution and assignment of IP addresses and any related configuration parameters to clients on the network.
Dynamic Host Configuration Protocol (DHCP) server: A computer running a DHCP service that offers dynamic configuration of IP addresses and related information to DHCP-enabled clients.
dynamic object: An object with a time-to-die (attribute msDS-Entry-Time-To-Die). The directory service garbage-collects a dynamic object immediately after its time-to-die has passed. The constructed attribute entryTTL gives a dynamic object's current time-to-live, that is, the difference between the current time and msDS-Entry-Time-To-Die. For more information, see [RFC2589].
dynamic provider: A Virtual Disk Service (VDS) provider that manages dynamic disks.
dynamic volume: A volume on a dynamic disk.
dynamic volume sub-disk: See disk extent.