Appendix A. Glossary

Numbers and Symbols

802.1x

An IEEE standard that provides for port-based access control and thus authentication for both wired and wireless networks. 802.1x uses the physical characteristics of a switched LAN to authenticate devices (and users) that are attached to each switch port and to disallow access from that port in the event that the user or device cannot be successfully authenticated.

3DES (Triple Data Encryption Standard)

A more secure variant of the DES standard that encrypts data by using three different 56-bit keys in succession. 3DES thus extends the DES key to 168 bits, providing approximately 6.2x10 ⁵⁷ different keys.

%systemroot%

A universal reference to the directory in which the Windows system files are installed. Typically, %systemroot% is C:\Winnt or C:\Windows . By default, clean installations of Windows Server 2003 use the Windows directory. If multiple copies of Windows are installed in a multiboot system, each copy has its own %systemroot% directory.

A

Active Directory

The directory services included with Windows Server 2003. Based on the DNS hierarchy, Active Directory provides a domain-based directory service for organizing all the objects and services in a Windows Server 2003 network.

Active Directory “integrated zone

A DNS zone file that is stored within the Active Directory data and replicated among other domain controllers running DNS as configured instead of being stored in a normal DNS text file.

Active Directory Users and Computers

A Microsoft Management Console provided in Windows 2000 and Windows Server 2003 Active Directory domains that can be used to administer Active Directory objects.

Affinity

The method used by network load balancing to associate client requests with hosts in the NLB cluster.

AH (Authentication Header)

A protocol in the IPSec suite that is used to authenticate IP traffic. The AH is inserted into the original IP packet immediately after the IP header.

Application Data Partition

A new directory partition type in Windows Server 2003 that can be used to store application-specific information in a separate partition that replicates only with the domain controllers that require this information. A common use of such partitions in Windows Server 2003 is for replication of Active Directory “integrated DNS zones.

Auditing

The process of logging information about network activities such as user logins, system shutdowns, and file access.

Authentication

The process of verifying a user's identity on a network.

Automated System Restore ( ASR )

The replacement for the Windows 2000 Emergency Repair Disk in which a boot floppy and a backup file can be used to restore a system to working order.

Automatic Updates

The client side of the SUS solution. Automatic Updates can be configured to work with the Microsoft Windows Update Web servers or with internal SUS servers.

B

B-node (Broadcast Node)

A NetBIOS name resolution method that relies exclusively on broadcast messages and is the oldest NetBIOS name resolution mode. A host needing to resolve a name request sends a message to every host within earshot, requesting the address associated with a hostname.

Back up

To make a reliable copy of critical data so that it can be recovered (restored) at a later date in the event of an emergency or casualty .

Baseline

A set of collected data that is representative of the normal or beginning performance statistics. You can compare the current performance statistics against a baseline to troubleshoot problems.

Bottleneck

A situation resulting from the inability of a computer system to meet or keep up with the demands placed on it.

C

Certificate

A credential that is used to authenticate the origin, identity, and purpose of the public half of a public/private key pair. A certificate ensures that the data sent and received is kept secure.

Certificate Authority ( CA )

A service that issues digital certificates to users and computers. Additionally, CAs maintain a current list of revoked certificates that are no longer considered valid.

Certificate Revocation List ( CRL )

A list maintained by Certificate Authorities that identifies all certificates that are no longer valid but have not yet reached their configured expiration date. Clients validating a certificate can check the CRL to determine whether a presented certificate is still valid.

Change management

The planning and implementation processes by which changes are proposed within an organization.

CHAP (Challenge Handshake Authentication Protocol)

An encrypted authentication scheme in which an unencrypted password is not sent over the network. CHAP is defined in RFC 1994 and is supported by RRAS to allow legacy and non-Windows clients to dial in and authenticate to a Windows Server 2003 Remote Access Server.

Child domain

A Windows Active Directory domain that exists directly beneath a parent domain in a tree hierarchy.

Class A network

The largest of the classes of IP networks. There are 126 Class A networks, each capable of addressing up to 16,777,214 hosts. Class A networks have a first octet between 1 to 126 with a default subnet mask of 255.0.0.0.

Class B network

The second-largest class of IP networks. There are 16,384 Class B networks, each capable of addressing up to 65,534 hosts. Class B networks have a first octet between 128 and 191 with a default subnet mask 255.255.0.0.

Class C network

The smallest class of IP networks. There are 2,097,152 Class C networks, each capable of addressing up to 254 hosts. Class C networks have a first octet between 192 and 223 with a default subnet mask of 255.255.255.0.

Classless interdomain routing ( CIDR )

A more efficient IP address management system than the original class-based system of Class A, B, and C networks. CIDR is typically used by routers and gateways located on the Internet backbone for routing packets across the Internet. CIDR allows any number of contiguous bits in the IP address to be used at the network ID, resulting in more IP addresses becoming available.

Cluster

A group of two or more independent servers that operate together and are viewed and accessed as a single resource. Also referred to as clustering .

Cluster resource

A network application, service, or hardware device (such as a network adapter or storage system) that is defined and managed by the cluster service.

Cluster resource group

A defined set of resources contained within a cluster. Cluster resource groups are used as failover units within a cluster. When a cluster resource group fails and cannot be automatically restarted by the cluster service, the entire cluster resource group is placed in an offline status and failed over to another node.

Cluster virtual server

A cluster resource group that has a network name and IP address assigned to it. Cluster virtual servers are accessible by their NetBIOS name, DNS name, or IP address.

Compatible security template

A security template that provides a means of allowing members of the Users group to run applications that do not conform to the Windows Logo Program by modifying the default file and Registry permissions that are granted to the Users group.

Conditional forwarding

A new feature in Windows Server 2003 DNS that allows administrators to direct DNS requests to other DNS servers based on domain. Also known as intelligent forwarding .

Convergence

The process by which NLB clustering hosts determine a new, stable state among themselves and elect a new default host after the failure of one or more cluster nodes. During convergence, the total load on the NLB cluster is redistributed among all cluster nodes that share traffic handling on specific ports, as determined by their port rules.

Copy backup

A type of backup operation that copies all selected files but does not mark each file as having been backed up (the archive attribute is not cleared). Copy backups have no effect on any other type of backup operation.

Counter

Part of an object in the System Monitor that can have usage and performance statistics measured.

Counter log

A log that can be created by using the Performance console for later viewing and comparison against current performance statistics.

CRL Distribution Point ( CDP )

A location to which Certificate Revocation Lists are published.

D

Daily backup

A type of backup operation that copies all selected files that have been modified the day the daily backup is performed; the archive attribute is not cleared in this case. Using normal and daily backups, you need the last normal backup and all daily backups to be able to perform restoration.

dcpromo

The command-line command that is issued to start the process of promoting a member server to a domain controller.

Default DC Security template

A security template that is automatically created when a member server is promoted to DC. It represents the file, Registry, and system service default security settings for that DC and can be used later to reset those areas to their default configurations.

Default gateway

The configured router on a TCP/IP-enabled system that allows all packets destined for a remote network to be forwarded out of the local network. If a packet is bound for a remote network but no route is specified, the packet is sent to the default gateway address. Also known as the default router .

Default Security template

A security template that is created during the installation of Windows on a computer. This template varies from one computer to the next , depending on whether the installation was performed as a clean installation or an upgrade. This template represents the default security settings that a computer started out with and thus can be used to reset portions of security as required.

Delegation of Control

The process by which you can allow nonadministrative users to have some responsibility for some portion of Active Directory, such as delegating the ability to change users' passwords or add computers to the domain.

DES (Data Encryption Standard)

A symmetric encryption scheme that requires the sender and the receiver to know the secret key. DES uses a 56-bit key that provides approximately 7.2x10 ¹⁶ different key combinations.

Differential backup

A type of backup operation that copies files created or changed since the last normal (full) or incremental backup and clears the archive attribute. Using normal and differential backups, you need the last normal backup and the last differential backup to be able to perform restoration.

Discretionary Access Control List ( DACL )

An internal list that is attached to files and folders on NTFS-formatted volumes that is configured to specify the level of permissions that are to be allowed for different users and groups.

Distance-vector routing

A type of routing that calculates the best path in an OSPF environment.

DNS forwarder

A DNS server that has been configured to forward to another DNS server name resolution queries it cannot answer.

DNS resolver

Any computer that has been configured with one or more DNS server IP addresses and that performs queries against these DNS servers.

DNS Security ( DNSSEC )

A public key infrastructure “based system in which authentication and data integrity can be provided to DNS resolvers as discussed in RFC 2535. Digital signatures are used and encrypted with private keys. These digital signatures can then be authenticated by DNSSEC-aware resolvers by using the corresponding public key. The required digital signature and public keys are added to the DNS zone in the form of resource records.

DNS slave server

A DNS forwarder server that does not try to resolve a resolution request if it doesn't receive a valid response to its forwarded DNS request.

Domain

A container in the DNS name hierarchy or the network Organizational Unit for Windows Server 2003 networks.

Domain controller ( DC )

A server that holds a writable copy of the Active Directory data and manages information contained within the Active Directory database. Domain controllers also function as NS servers when Active Directory “integrated zones are used. The Kerberos Key Distribution Center (KDC) is located on every domain controller as well.

Domain name system ( DNS )

A service that dynamically provides name and address resolution services in a TCP/IP environment.

DumpEL

A command-line based utility that can be used to quickly collect and search through event logs. This tool is found in the Windows Server 2003 Resource Kit.

Dynamic Host Configuration Protocol ( DHCP )

A standards-based method of automatically assigning and configuring IP addresses for DHCP clients.

E

EAP (Extensible Authentication Protocol)

An extension to the Point-to-Point Protocol (PPP) as specified in RFC 2284 that provides a means for the primary authentication method to be negotiated during the initiation of the PPP session.

Encryption

A mechanism for securing data in which data is translated into a secret code, which can be read only with the correct key to translate the secret code back to the original data.

Enterprise Certificate Authority

The first Certification Authority (CA) in a branch of CAs. It is responsible for assigning certificates to intermediary CAs and other subordinate CAs.

ESP (Encapsulating Security Protocol)

A protocol that is used in the IPSec suite to handle data encryption. ESP is usually used with AH to provide the maximum level of security and integrity for data transmitted in IPSec transmissions. ESP uses DES encryption by default, but it can be configured to use 3DES.

EventCombMT

A GUI-based utility that can be used to quickly collect and search through event logs. This tool is found in the Windows Server 2003 Resource Kit.

Exterior Gateway Protocol ( EGP )

The original exterior protocol, which is used to exchange routing information between networks that do not share a common administration.

F

Failback

The process of moving a cluster group (either manually or automatically) back to the preferred node after the preferred node has resumed cluster membership. For failback to occur, it must be configured for the cluster group, including the failback threshold and selection of the preferred node.

Failover

The process of a cluster group moving from the currently active node to a designated, functioning node in the cluster group. Failover typically occurs when the active node becomes unresponsive (for any reason) and cannot be recovered within the configured failure threshold period.

Firewall

A device that protects the internal network from the external Internet, WAN, business partner, or anything else you may want to protect against.

Forest

The logical structure that contains all domains in the Active Directory model.

Forest and domain functional levels

Levels of functionality for Active Directory forests and Active Directory domains that determine what unique features they can possess, such as the capability to remain forests and domains that are configured for Windows Server 2003 mode.

Forest root

The first domain created within an Active Directory forest.

Fully qualified domain name ( FQDN )

The complete DNS name of a host, including the hostname and all domains that connect the host to the root domain. The FQDN is typically expressed without a trailing period, with the root domain assumed.

G

GPO (Group Policy Object)

A collection of security and configuration settings that are applied to a container in an Active Directory domain.

Group Policy Editor

A subset of the Active Directory Users and Computers console that allows the editing of Group Policy Objects.

H

H-node (Hybrid Node )

A hybrid NetBIOS name resolution mode that favors the use of WINS for NetBIOS name resolution.

Heartbeat

A network communication sent among individual cluster nodes at intervals of no more than 500 milliseconds (ms); used to determine the status of all cluster nodes.

Highly Secure security template

A security template that imposes further restrictions on computers it is applied to. Whereas the Secure templates require at least NTLM authentication, the Highly Secure templates require NTLMv2 authentication.

I

IGMP Proxy mode

The mode used to configure a router that has two or more interfaces with different settings on different interfaces. One interface acts as a proxy multicast host that sends IGMP membership reports on one of its interfaces.

IGMP Routing mode

The mode in which you can set Windows Server 2003 to listen for IGMP Membership Report packets as well as to track group membership.

Incremental backup

A type of backup operation that copies only those files created or changed since the last normal or incremental backup; the archive attribute is then cleared. Using normal and incremental backups, you need the last normal backup and all incremental backups to be able to perform restoration.

Interior Gateway Protocol ( IGP )

A protocol that is used to pass routing information for routing networks that are under a common network administration.

Internet Control Message Protocol ( ICMP )

A protocol in the TCP/IP suite of protocols that is used for testing connectivity.

Internet Group Management Protocol ( IGMP )

One of the core protocols in the TCP/IP suite, a routing protocol that is used as part of multicasting.

Internet Key Exchange ( IKE )

An encryption scheme that allows disparate VPN servers to share encryption key information and make the IPSec protocol practical in today's environment.

Internet Protocol ( IP )

The portion of the TCP/IP protocol suite that is used to provide packet routing.

IP address

The 32-bit binary address that is used to identify a TCP/IP host's network and host ID. IPv6 IP addresses are 128 bits in length.

IP Security ( IPSec )

A Layer 3 TCP/IP protocol that provides end-to-end security for data in transit.

ipconfig

A command-line “based tool that allows you to view and modify the TCP/IP properties of installed network adapters. Some if its uses include releasing and renewing DHCP leases as well as clearing the local DNS resolver cache.

ISAKMP/Oakley (Internet Security Association and Key Management Protocol/Oakley)

A protocol that is used to share a public key between sender and receiver of a secure connection. ISAKMP/Oakley allows the receiving system to retrieve a public key and then authenticate the sender using digital certificates.

Iterative query

A DNS query sent from a DNS server to one or more DNS servers in search of the DNS server that is authoritative for the name being sought.

K

Kerberos v5

An identity-based security protocol based on Internet security standards used by Windows Server 2003 to authenticate users.

L

LAN Manager HOSTS ( LMHOSTS )

A file modeled after the TCP/IP HOSTS file and used to provide a static NetBIOS name to IP address resolution in a Windows environment. The HOSTS file was originally used for name resolution in a TCP/IP network environment. As the HOSTS file was replaced by DNS, the LMHOSTS file was replaced by WINS.

Layer 2 Tunneling Protocol ( L2TP )

A VPN protocol that is created by combining the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F) tunneling protocols. L2TP is used as the transport protocol in the Windows Server 2003 VPN service in conjunction with IPSec.

Leaf

The end object in a hierarchical tree structure.

Link State

An operation used by dynamic routing protocols to test the condition of a connection (link) between routers. OSPF is a Link State protocol.

link-state routing

Dynamic routing that tests the condition of a connection (link) between routers. OSPF is a Link State protocol.

LSA (link state advertisement)

A notification that is flooded throughout the network when a network link changes state (up to down, or vice versa).

M

M-node (Modified Node)

A hybrid NetBIOS name resolution mode that first attempts to resolve NetBIOS names using the B-node mechanism. If that fails, an attempt is made to use P-node name resolution. M-node was the first hybrid mode put into operation, but it has the disadvantage of favoring B-node operation, which is associated with high levels of broadcast traffic.

Microsoft Baseline Security Analyzer ( MBSA )

A utility that can be used to scan computers on a network looking for missing security updates and weak security configurations from either the command line or from within the GUI.

Microsoft Management Console ( MMC )

A Microsoft Windows framework used for hosting administrative tools.

Microsoft Point-to-Point Encryption ( MPPE )

A data encryption method used for PPP-based connections or PPTP VPN connections. MPPE supports strong (128-bit key) and standard (40-bit key) encryption.

MS-CHAP (Microsoft Challenge Authentication Protocol)

A Microsoft-specific variation of the CHAP authentication protocol. MS-CHAP is more secure than CHAP and comes in two variations: MS-CHAPv1 and MS-CHAPv2. MS-CHAPv1 supports one-way authentication and is used by Windows NT 4.0. MS-CHAPv2 is used with Windows 2000 or later and supports mutual authentication.

Multicasting

A method of sending a series of packets to a group of computers instead of to a single computer or all computers on a network. IGMP support is required to use multicasting.

Multilink

A capability included in Windows Server 2003 that allows the aggregating of multiple modem connections.

N

nbtstat

A command-line utility that allows you to verify the current connections over the NBT protocol. It also allows you to check and load the NetBIOS name cache.

netsh

A command-line tool used on Windows 2000 and 2003 systems for configuring and troubleshooting networking-based issues.

NetBIOS Name

The computer name for NetBIOS networking. This name can be 16 characters long: 15 provide the hostname, and the 16th represents the service registering the name.

NetBIOS Name Cache

A list of system NetBIOS names that a host has resolved or that have been preloaded from the LMHOSTS file.

NetBIOS node type

The node type that determines the order of name resolution for NetBIOS names. There are four types: B-node, P-node, M-node, and H-node.

NetBIOS over TCP/IP ( NBT or NetBT )

The name given to the process of running NetBIOS network services over TCP/IP.

Network Address Translation ( NAT )

A process by which private IP addresses are mapped to public IP addresses and vice versa. The device that performs this NAT keeps a table of which IP addresses given from the NAT pool map to the one that was distributed.

Network Basic Input/Output System ( NetBIOS )

An Application layer networking protocol that works at the Application, Presentation, and Session layers of the OSI model. Legacy Microsoft networking used NetBIOS as the default Application layer protocol.

Network interface card ( NIC )

A device installed into a PC or other host device to allow it to have a MAC address and be assigned an IP address. This device connects you to the network. Also referred to as a network adapter .

Network load balancing

A way to provide highly available solutions in which all incoming connection requests are distributed using a mathematical algorithm to members of an NLB cluster. NLB clustering is best used when clients can connect to any server in the cluster, such as Web sites, Terminal Services servers, and VPN servers.

Node

In regards to clustering, an individual server within a cluster. In regards to networking, a device that communicates on a network and is identified by a unique address. In hierarchies, a node is a container that contains other containers and data.

Normal backup

A type of backup operation that copies all selected files and marks each file as having been backed up (the archive attribute is cleared). Only the most recent copy of the backup file is required to perform restoration.

ntbackup.exe

The command-line version of the Windows Backup Utility.

O

Open Shortest Path First ( OSPF )

A routing protocol that allows routers to share their routing information, making them dynamic routers.

Organizational Unit ( OU )

A container that provides for the logical grouping of objects within Active Directory for ease of administration and configuration.

P

P-node (Point-to-Point Node)

A NetBIOS name resolution method that relies on WINS servers for NetBIOS name resolution. Client computers register themselves with a WINS server when they come on the network.

PAP (Password Authentication Protocol)

A clear-text authentication scheme that provides no security for information passed over the connection. PAP is defined in RFC 1334.

Parent domain

The domain that has one or more child domains under it that share the same DNS namespace.

pathping

A command-line tool that provides the equivalent of the tracert command by allowing you to identify which routers are in the path the packets are taking. pathping also acts as the equivalent of the ping command by sending ping requests to all the routers over a specified time period and then computing statistics based on the packets returned from each router. pathping displays the number of packets lost at each router or link, allowing you to determine which routers and links (subnets) might be causes of connectivity troubles.

Performance console

A preconfigured Microsoft Management Console that contains the System Monitor as well as Performance Logs and Alerts.

Physical Address (MAC Address)

A 48-bit alphanumeric number, such as 00-08-74-97-0B-26, that denotes the host's physical address. Also called a Media Access Control (MAC) address, the physical address is unique to the device to which it is assigned.

ping

A command-line utility that is used to troubleshoot TCP/IP problems. ping sends a packet with data, asking the remote system to echo the packet to the sender.

Point-to-Point Tunneling Protocol ( PPTP )

A protocol that is used by Microsoft and others to create VPNs.

Port rules

A configuration that is used to determine what types of traffic are to be load-balanced across the cluster nodes.

Primary DNS server

The name server that contains the master copy of a zone file. Also called a primary master .

Primary master

See [Primary DNS server]

Primary zone

A DNS zone that contains the master copies of resource records for a domain.

Principle of least privilege

An administrative principle which states that users are given only the minimum privileges required to perform the specific set of tasks they have been assigned.

Private IP address

An IP address range reserved for private (non “Internet-connected) networks. There are private address ranges in the Class A, Class B, and Class C address blocks.

Proxy server

A server-based application that serves as a go-between for the internal LAN clients and the public Internet. A proxy server also caches the pages so that Internet response seems faster to internal clients.

Public IP address

An IP address for use on the Internet or a private network that must be assigned via an organization or ISP so that no duplicates exist.

Pull replication

The act of replicating a copy of the WINS database from a WINS replication partner by pulling data from the partner's database to the local database.

Push replication

The act of replicating a copy of the WINS database to a WINS replication partner by pushing data from the partner's database to the local database.

Push/pull replication

The act of replicating a copy of the WINS database to a WINS replication partner by allowing the replication partners to push and/or pull.

Q

Quorum disk

The disk drive that contains the definitive cluster-configuration data. Clustering with MSCS requires the use of a quorum disk and requires continuous access to the data contained within the quorum disk. The quorum disk contains vital data about the nodes participating in the cluster, the applications and services defined within the cluster resource group, and the status of each node and cluster resource. The quorum disk is typically located on a shared storage device.

R

RADIUS (Remote Access Dial-in User Service)

An industry-standard security protocol that is used to authenticate client connections.

Recursive query

A DNS query that is used to request an authoritative answer or an answer indicating that there is no resolution for a DNS lookup.

Registered IP address

Any block of addresses registered with Internet Assigned Numbers Authority (IANA).

Remote Assistance

A Remote Desktop Protocol “based service in Windows XP and Windows Server 2003 that allows a Novice to ask for and receive help from an Expert over a TCP/IP network connection.

Remote Desktop for Administration

A Remote Desktop Protocol “based service that allows administrators to remotely connect to and administer Windows XP and Windows Server 2003 computers. Remote Desktop for Administration replaces Terminal Services Administration mode in Windows 2000.

Remote Desktop Protocol

A terminal communications protocol based on the industry standard T.120 multichannel conferencing protocol.

Replication partner

A server in a WINS architecture that sends or receives a copy of the WINS database from another WINS server.

Resource record

A data record in a DNS zone. Many types of resource records are available. For example, an address resource record is the data record that describes the address-to-name relationship for a host.

Restoration

The process of replacing or re-creating data on a computer using a set of backup media.

Resultant Set of Policies ( RSoP )

An MMC snap-in that allows you to determine how various Group Policies are applied to an object.

Reverse lookup

In DNS, an IP address-to-name resolution.

Revoked certificate

A digital certificate that has been taken out of use before its configured end of lifetime. Certificates can be revoked for any number of reasons, including loss of keys or employee termination.

Role-based security

The process of configuring network security for hardware and users based on the role they play in the network.

Root

In a hierarchy, the container that holds all other containers.

Root Certificate Authority ( CA )

A Certificate Authority that forms the top of the CA hierarchy.

Router

A system or device that forwards or drops packets between networks, based on the entries in its routing table.

Routing and Remote Access Services ( RRAS )

A service that allows for remote connection to a server.

Routing Information Protocol ( RIP )

A protocol that dynamic routers use to share their routing tables. Similar to the OSPF and BGP protocols, RIP is an older, less-efficient routing protocol.

Routing protocol

A type of protocol that is used by dynamic routers to share their routing tables with other routers.

Routing table

A table that describes routing decisions that a host can make. Minimum entries in the routing table include routes to each local network and a default route.

Routing table ( route ) utility

A utility that allows you to view and modify the routing table on a Windows computer.

S

secedit.exe

The command-line equivalent of the Security Configuration and Analysis snap-in.

Secondary DNS server

A server that provides name resolution for a zone but cannot be used to modify the zone. It contains a read-only copy of the zone file. Also known as a secondary master .

Secure dynamic update

A secure method used by Active Directory “integrated zones that allows DHCP to automatically update DNS when leases are granted and expired by the DHCP server.

Secure security template

A security template that increases the level of security configured on a computer it is applied to above the default configuration. Secure templates prevent the use of the LAN Manager (LM) authentication protocol. Windows 9 x clients need to have Active Directory Client Extensions installed to enable NTLMv2 to allow them to communicate with Windows 2000 and later clients and servers using these templates. These templates also impose additional restrictions on anonymous users, such as preventing them from enumerating account and share information.

Security Configuration and Analysis snap-in

An MMC snap-in that is used to configure, analyze, and implement security templates on a local computer. It can be used to create templates that are imported into GPOs for application to larger groups of computers.

Security log

A log that is found in the Event Viewer and that contains auditing entries.

Security template

A text file that contains settings that configure the security settings of the computer or computers to which it is applied. Several preconfigured security templates come with Windows Server 2003, and you can edit and create your own custom ones as required.

Security Templates snap-in

An MMC snap-in that can be used to safely create and modify security templates without danger of accidentally applying them to the local computer or the network.

Site

A well-connected TCP/IP subnet.

Snap-in

A tool that you can add to the MMC.

SPAP (Shiva Password Authentication Protocol)

An encrypted password authentication protocol that was introduced for Shiva remote access servers.

Split horizon

A mechanism that is used with RIP to prevent routing loops .

Split horizon with poison reverse

A mechanism that broadcasts routes with an infinite routing metric.

Standalone CA

A certificate authority that can be used with or without Active Directory. Certificate requests are set to pending until an administrator approves the request.

Standard primary zone

A DNS zone file that holds the master writable copy of a zone and can transfer it to all configured secondary zones.

Standard secondary zone

A DNS zone file that holds a read-only copy of the zone file and is used to provide increased reliability and performance.

Start of Authority ( SOA ) record

In a DNS zone file, a record that is used to provide the zone parameters to all the DNS servers for the zone. The SOA record also provides the name of the primary server and the person in charge of the domain.

Stub zone

A new DNS zone type in Windows Server 2003 that contains only the required resource records that are needed to identify the authoritative DNS servers for another zone.

Subnet

A subdivision of a TCP/IP internetwork that communicates with other subnets through routers.

Subnet mask

In TCP/IP, a mask that is used to determine what subnet an IP address belongs to. A subnet mask enables a host or a router to determine which portion of an IP address is the network ID and which is the host ID. The host can then use this information to determine whether to send a packet to a host on the local network or to a router.

Subordinate CA

Typically the lowest level in a Certificate Authority hierarchy. Subordinate CAs issue certificates directly to users and network hosts.

Suffix

A domain extension that indicates the root domain. For example, .com is a domain suffix.

SUS (Software Update Services)

An add-on service for Windows 2000 and Windows Server 2003 networks that provides the functionality of a Windows Update Web server on the internal network. SUS allows you to select which available updates are authorized for distribution to network clients, thus ensuring that only the updates you have tested and approved are installed.

T

Terminal Services

An RDP-based service offered by Windows NT, Windows 2000, and Windows Server 2003 servers allowing thin clients to connect to the server and utilize applications stored on the server.

Top-level domain ( TLD )

A domain that exists directly underneath the root domain.

tracert

A command-line utility that traces the route that packets travel between the local host and the destination host and displays it to the screen.

Transmission Control Protocol/Internet Protocol ( TCP/IP )

The suite of communications protocols used to connect hosts on the Internet.

Transport Mode

The use of IPSec not in a tunnel (with two configured endpoints). Commonly used on a private network between two hosts.

Tree

A logical group of Windows Server 2003 domains that share a common DNS namespace.

Tunnel Mode

The use of IPSec in a mode where two endpoints have been configured to create a tunnel, such as when a VPN tunnel is created.

U

Universal Naming Convention ( UNC )

A naming convention that is used to define a resource on a Windows Server 2003 server network. A share named DOCS on the server SERVER1 could be accessed using the UNC path \\SERVER1\DOCS .

User logon name

Commonly referred to as the pre-Windows 2000 logon name, such as will .

User principal name ( UPN )

The full DNS domain name of an Active Directory user account, such as will@corp.mcseworld.com.

V

Validity period

The length of time a digital certificate is valid.

Virtual private network ( VPN )

A mechanism for providing secure, private communications, utilizing a public network (such as the Internet) as the transport method. VPNs use a combination of encryption and authentication technologies to ensure data integrity and security.

Volume shadow copy

A new feature in Windows Server 2003 that provides distinctly different functions. The first function allows the Windows Backup Utility (or ntbackup from the command line) to back up open files as if they were closed. The second feature provides a means to create and store up to 64 historical versions of files located within a network share.

W

Windows 2000 mixed mode

The mode that allows Windows NT 4.0 domain controllers to exist and function within a Windows 2003 domain. This is the default setting when Active Directory is installed, although it can be changed to native mode.

Windows 2000 native mode

The mode in which all domain controllers in a domain have been upgraded to Windows 2003 and there are no longer any NT 4.0 domain controllers. An administrator explicitly puts Active Directory into native mode, at which time it cannot be returned to mixed mode without removing and reinstalling Active Directory.

Windows 2003 functional level

The highest functional level of either the domain or forest in Windows 2003. This functional level implements all the new features of Windows 2003 Active Directory.

Windows Internet Naming Service ( WINS )

A service that runs on a Windows Server 2003 server to provide NetBIOS name resolution. When you use WINS, name resolution is performed using directed transmissions, resulting in a reduction in broadcast traffic and the capability to find systems on different subnets. WINS replaces the LMHOSTS file in a fashion similar to the way DNS replaced the HOSTS file.

Wireless LAN ( WLAN )

A local area network that uses one of the 802.11 standards, such as 802.11b or 802.11a.

Workgroup

A grouping of computers and resources that use a decentralized authentication and management system.

Z

Zone

A domain for which a DNS server is authoritative.

Zone transfer

The process of copying DNS resource records from a primary zone to a secondary zone.