access control entry (ACE)   One of the entries on the access control list (ACL) that controls user account or group access to a resource. The entry must allow the type of access that is requested (for example, Read access) for the user to gain access. If no ACE exists in the ACL, the user can't gain access to the resource or folder on an NTFS partition.

access control list (ACL)   The mechanisms for limiting access to certain items of information or certain controls based on users' identity and their membership in various predefined groups. Access control is typically used by system administrators for controlling user access to network resources such as servers, directories, and files, and is typically implemented by granting permissions to users and groups for access to specific objects.

access token   The user's identification for the computers in the domain or for that local computer. The access token contains the user's security settings, including the user's security ID (SID).

Account   See user account.

account lockout   A Microsoft Windows 2000 security feature that locks a user account if a number of failed logon attempts takes place within a specified amount of time, based on security policy lockout settings. Locked accounts cannot log on.

account policy   Controls how passwords must be used by all user accounts in a domain or on an individual computer.

Active Directory Domains and Trusts console   An administrative tool that allows you to manage trust relationships between domains. These domains can be Microsoft Windows 2000 domains in the same forest, Windows 2000 domains in different forests, pre-Windows 2000 domains, and even Kerberos v5 realms.

Active Directory schema   A description of the object classes and attributes stored in Active Directory directory service. For each object class, the schema defines the attributes an object class must have, the additional attributes it may have, and the object class that can be its parent. The Active Directory schema can be updated dynamically by creating or modifying the schema objects stored in Active Directory. Like every object in Active Directory, schema objects have an access control list (ACL), so only authorized users may alter the schema.

Active Directory Schema console   An administrative tool that allows you to view and modify Active Directory schema. You must install the Active Directory Schema console from the Microsoft Windows 2000 Administration tools on the Windows 2000 Server CD-ROM.

Active Directory directory service   The directory service included with Microsoft Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory allows users to use a single logon process to access permitted resources anywhere on the network. Active Directory provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.

Active Directory Service Interfaces (ADSI)   A directory service model and a set of Component Object Model (COM) interfaces. ASDI enables Microsoft Windows 95, Windows 98, Windows NT, and Windows 2000 applications to access several network directory services, including Active Directory.

Active Directory Sites and Services console   An administrative tool that contains information about the physical structure of your network. Active Directory uses this information to determine how to replicate directory information and handle service requests.

Active Directory Support Tools   Additional administrative tools that can be used to configure, manage, and debug Active Directory; included in Microsoft Windows 2000 Support Tools. The Windows 2000 Support Tools are included on the Windows 2000 CD-ROM in the \Support\Tools folder. These tools are intended for use by Microsoft support personnel and experienced users to assist in diagnosing and resolving computer problems.

Active Directory Users and Computers console   An administrative tool designed to perform day-to-day Active Directory administration tasks. These tasks include creating, deleting, modifying, moving, and setting permissions on objects stored in the directory. These objects include organizational units, users, contacts, groups, computers, printers, and shared file objects.

Advanced Configuration and Power Interface (ACPI)   An open industry specification that defines power management for a wide range of mobile, desktop, and server computers and peripherals. ACPI is the foundation for the OnNow industry initiative that allows system manufacturers to deliver computers that start at the touch of a keyboard. ACPI design is essential to take full advantage of power management and Plug and Play in Windows 2000.

application assignment   A process that uses Software Installation (an extension of Group Policy) to assign programs to groups of users. The programs appear to be installed and available on the users' desktops when they log on. You assign programs to a particular group policy object (GPO), which in turn is associated with a selected directory object (site, domain, or organizational unit). When you assign programs, they are advertised to every user managed by the GPO. Advertising the program installs only enough information about the program to make program shortcuts appear on the Start menu and the necessary file associations appear in the registry. When users managed by the GPO log on to a computer running Microsoft Windows 2000, the program appears on their Start menu. When users select the program from the Start menu for the first time, the program is installed. You can also install advertised programs by clicking a document managed by the program (either by file extension or by COM-based activation).

asymmetric digital subscriber line (ADSL)   A modem technology that converts existing twisted-pair telephone lines into access paths for multimedia and high-speed data communications. These new connections can transmit more than 8 Mbps to the subscriber and up to 1 Mbps from the subscriber. ADSL is recognized as a physical layer transmission protocol for unshielded twisted-pair media.

Asynchronous Transfer Mode (ATM)   A high-speed, connection-oriented protocol used to transport multiple types of traffic across a network. ATM packages data in a 53-byte, fixed-length cell that can be switched quickly between logical connections on a network.

audit policy   A policy that determines the security events to be reported to the network administrator.

auditing   The process that tracks the activities of users by recording selected types of events in the Security log of a server or a workstation.

authentication   The process by which the system validates the user's logon information. A user's name and password are compared against an authorized list. If the system detects a match, access is granted to the extent specified in the permissions list for that user. When a user logs on to an account on a computer running Microsoft Windows 2000 Professional, the authentication is performed by the workstation. When a user logs on to an account on a Windows 2000 Server domain, any server in that domain may perform authentication.

Author mode   A console mode that enables full access to all Microsoft Management Console (MMC) functionality, including adding or removing snap-ins, creating new windows, viewing all portions of the console tree, and saving MMCs.

authoritative restore   A type of restore operation on a Microsoft Windows 2000 domain controller in which the objects in the restored directory are treated as authoritative, replacing (through replication) all existing copies of those objects. Authoritative restore is applicable only to replicated System State data such as Active Directory data and File Replication service data. You must use the NTDSUTIL.EXE utility to perform an authoritative restore.


backup domain controller (BDC)   In Microsoft Windows NT Server 4.0 or earlier, a computer running Windows NT Server that receives a copy of the domain's directory database (which contains all account and security policy information for the domain). The copy is synchronized periodically and automatically with the master copy on the primary domain controller (PDC). BDCs also authenticate user logon information and can be promoted to function as PDCs as needed. Multiple BDCs can exist in a domain. Windows NT 3.51 and 4.0 BDCs can participate in a Microsoft Windows 2000 domain when the domain is configured in Mixed mode.

backup job   A single process of backing up data.

backup set   A collection of files, folders, and other data that have been backed up and stored in a file or on one or more tapes.

backup types   The method which determines which data is backed up and how it is backed up. There are five backup types: copy, daily, differential, incremental, and normal.

Bandwidth Allocation Protocol (BAP)   A Point-to-Point Protocol (PPP) control protocol that helps provide bandwidth on demand. BAP dynamically controls the use of multi-linked lines and is an efficient mechanism for controlling connection costs while dynamically providing optimum bandwidth.

boot files   The system files needed to start Microsoft Windows 2000. For Intel-based computers, this includes Ntldr and For Compaq Alpha-based systems, this is OSLOADER.EXE.

Boot Information Negotiation Layer (BINL)   A service that runs on the Microsoft Windows 2000 Server and acts on client boot requests.

boot logging   A process in which a computer that is starting (booting) creates a log file that records the loading of each device and service. In Microsoft Windows 2000, this log file is called NTBTLOG.TXT and is saved in the systemroot directory.

boot partition   The partition that contains the Microsoft Windows 2000 operating system and its support files. The boot partition can be, but does not have to be, the same as the system partition.

boot volume   The volume that contains the Microsoft Windows 2000 operating system and its support files. The boot volume can be, but does not have to be, the same as the system volume.

built-in groups   The default groups provided with Microsoft Windows 2000 Professional and Windows 2000 Server. Built-in groups have been granted useful collections of rights and built-in abilities. In most cases, built-in groups provide all the capabilities needed by a particular user.

built-in user account   Default data that is used to perform administrative tasks or to gain access to network resources.


CA   See certificate authority (CA).

callback   A Microsoft Windows 2000 feature that you can set to cause the remote server to disconnect and call back the client attempting to access the remote server. This reduces the client's phone bill by having the call charged to the remote server's phone number. The callback feature can also improve security by calling back the phone number that you specified.

certificate   A collection of data used for authentication and secure exchange of information on nonsecured networks, such as the Internet. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA and can be managed for a user, computer, or service. The most widely accepted format for certificates is defined by ITU-T X.509 international standards.

certificate authority (CA)   An entity responsible for establishing the authenticity of public keys belonging to users or other CAs. Activities of a CA may include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.

certificate services   Software services that provide authentication support, including secure e-mail, Web-based authentication, and smart card authentication. These services contrast with Internet Authentication Services (IAS), which provide authentication for dial-in users.

child domain   For Domain Name System (DNS), domains located in the namespace tree directly beneath another domain name (the parent domain). For example, would be a child domain of the parent domain, A child domain is also called a subdomain.

child object   An object that resides in another object. For example, a file is a child object that resides in a folder, which is the parent object.

Client Installation wizard   In Remote Installation Services (RIS), the Client Installation wizard makes installation options available to the client.

common groups   Groups that appear in the program list on the Start menu for all users who log on to the computer. Only administrators can create or change common groups.

computer account   An account that is created by a domain administrator and uniquely identifies the computer on the domain. The Microsoft Windows 2000 computer account matches the name of the computer joining the domain.

console   A collection of administrative tools.

console mode   The technique used to determine the Microsoft Management Console (MMC) functionality for the person who is using a saved MMC. The two available console modes are Author mode and User mode.

console tree   The left pane in a Microsoft Management Console (MMC) that displays the items contained in the console. By default it is the left pane of a console window, but it can be hidden. The items in the console tree and their hierarchical organization determine the capabilities of a console.


data store (the database file NTDS.DIT)   The directory database.

default groups   Groups that have a predetermined set of user rights or group membership. Microsoft Windows 2000 has four categories of default groups: predefined, built-in, built-in local, and special identity.

default user profile   The profile that serves as a basis for all user profiles. Every user profile begins as a copy of the default user profile, which is stored on each computer running Microsoft Windows 2000 Professional or Windows 2000 Server.

details pane   The pane in the Microsoft Management Console (MMC) that displays the details for the selected item in the console tree. The details can be a list of items or they can be administrative properties, services, and events that are acted on by a console or snap-in.

Dfs link   A link from a distributed file system (Dfs) root to one or more shared files, another Dfs root, or a domain-based volume.

Dfs replication   The process of copying data from a data store or file system to multiple computers to synchronize the data. Active Directory directory services provides multimaster replication of the directory between domain controllers within a given domain. The replicas of the directory on each domain controller are writeable. This allows updates to be applied to any replica of a given domain. The replication service automatically copies the changes from a given replica to all other replicas.

Dfs root   A container for files and Dfs links.

DHCP   See Dynamic Host Configuration Protocol (DHCP).

DHCP client   Any network-enabled device that supports the ability to communicate with a Dynamic Host Configuration Protocol (DHCP) server for the purpose of obtaining dynamic leased Internet Protocol (IP) configuration and related optional parameters information.

DHCP scope   A range of Internet Protocol (IP) addresses that are available to be leased or assigned to Dynamic Host Configuration Protocol (DHCP) clients by the DHCP service.

DHCP server   In Microsoft Windows 2000 Server, a computer running the Microsoft Dynamic Host Configuration Protocol (DHCP) service that offers dynamic configuration of Internet Protocol (IP) addresses and related information to DHCP-enabled clients.

differential backup   A backup method that copies files created or changed since the last normal (or incremental) backup. It does not mark files as having been backed up.

digital signature   A means for originators of a message, file, or other digitally encoded information to bind their identity to the information. The process of signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature.

digital video disc (DVD)   Also known as a digital versatile disc, an optical storage medium with higher capacity and bandwidth than a compact disc. A DVD can hold a full-length film with up to 133 minutes of high-quality video (in MPEG-2 format) and audio.

direct memory access (DMA)   Memory access that doesn't involve the microprocessor, frequently employed for data transfer directly between memory and an "intelligent" peripheral device such as a disk drive.

direct memory access (DMA) channel   A channel for direct memory access that doesn't involve the microprocessor, providing data transfer directly between memory and a disk drive.

directory   An information source (for example, a telephone directory) that contains information about people, computer files, or other objects. In a file system, a directory stores information about files. In a distributed computing environment (such as a Microsoft Windows 2000 domain), the directory stores information about objects such as printers, fax servers, applications, databases, and other users.

directory database   The physical storage for each replica of Active Directory. Directory database is also called the data store.

directory service   Provides the methods for storing directory data and making this data available to network users and administrators. For example, Active Directory stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Directory Services Restore mode   A special safe mode that allows you to restore the System State data on a domain controller. When your computer is started in this mode you can restore the SYSVOL directory and Active Directory directory services database. You can only restore System State data on a local computer. You cannot restore the System State data on a remote computer.

Directory System Agent (DSA)   A software construct that builds a hierarchy from the parent-child relationships stored in the directory. Provides application programming interfaces (APIs) for directory access calls.

Discretionary Access Control List (DACL)   A list that represents part of an object's security descriptor that allows or denies permissions to specific users and groups.

disk duplexing   See disk mirroring.

disk duplicating   See disk mirroring.

diskless computers   Computers that have neither a floppy disk nor a hard disk. Diskless computers depend on special ROM to provide users with an interface through which they can log on to the network.

disk mirroring   A technique, also known as disk duplicating, in which all or part of a hard disk is duplicated onto one or more hard disks, each of which ideally is attached to its own controller. With disk mirroring, any change made to the original disk is simultaneously made to the other disk or disks. Disk mirroring is used in situations in which a backup copy of current data must be maintained at all times. See also disk striping.

disk striping   A technique that divides data into 64 K blocks and spreads it equally in a fixed rate and order among all disks in an array. Disk striping doesn't provide any fault tolerance because there is no data redundancy. If any partition in the set fails, all data is lost. See also disk mirroring.

distinguished name (DN)   A name that uniquely identifies an object by using the relative name for the object, plus the names of container objects and domains that contain the object. The distinguished name identifies the object as well as its location in a tree. Every object in Active Directory has a distinguished name. A typical distinguished name might be: CN=MyName,CN=Users,DC=Microsoft, DC=Com. This identifies the MyName user object in the domain.

distributed file system (Dfs)   A service used to build a logical structure of file shares from separate computers and presented to users and administrators in a single directory tree.

distribution server   A server that stores the distribution folder structure, which contains the files needed to install a product#8212;for example, Microsoft Windows 2000.

DNS name server   In the Domain Name System (DNS) client/server model, the server containing information about a portion of the DNS database that makes computer names available to client resolvers querying for name resolution across the Internet.

domain   In Microsoft Windows 2000 and Active Directory, a collection of computers defined by the administrator of a Windows 2000 Server network that share a common directory database. A domain has a unique name and provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain has its own security policies and security relationships with other domains and represents a single security boundary of a Windows 2000 computer network. Active Directory is made up of one or more domains, each of which can span more than one physical location. For Domain Name System (DNS), a domain is any tree or subtree within the DNS namespace. Although the names for DNS domains often correspond to Active Directory domains, DNS domains should not be confused with Windows 2000 and Active Directory networking domains.

domain controller   In a Microsoft Windows 2000 Server domain, a computer running Windows 2000 Server that manages user access to a network, which includes logging on, authentication, and access to the directory and shared resources.

domain local group   A security or distribution group that can contain universal groups, global groups, and accounts from any domain in the domain tree or forest. A domain local group can also contain other domain local groups from its own domain. Rights and permissions can be assigned only at the domain containing the group.

domain model   A grouping of one or more domains with administration and communication links between them that is arranged for the purpose of user and resource management.

domain name   In Microsoft Windows 2000 and Active Directory, the name given by an administrator to a collection of networked computers that share a common directory. For Domain Name System (DNS), domain names are specific node names in the DNS namespace tree. DNS domain names use singular node names joined together by periods (.) that indicate each node level in the namespace.

Domain Name System (DNS)   A static, hierarchical name service for Transmission Control Protocol/Internet Protocol (TCP/IP) hosts. The network administrator configures the DNS with a list of host names and Internet Protocol (IP) addresses, allowing users of workstations configured to query the DNS to specify remote systems by host names rather than IP addresses. DNS domains should not be confused with Microsoft Windows 2000 networking domains.

domain namespace   The database structure used by the Domain Name System (DNS).

domain naming master   The domain controller assigned to control the addition or removal of domains in the forest. At any time, there can be only one domain naming master in the forest.

domain user account   A database that allows a user to log on to the domain to gain access to network resources.

Dynamic DNS (DDNS)   Enables clients with dynamically assigned addresses to register directly with a server running the Domain Name System (DNS) service and update the DNS table dynamically. DDNS eliminates the need for other Internet naming services, such as Windows Internet Name Service (WINS), in a homogeneous environment.

Dynamic Host Configuration Protocol (DHCP)   A Transmission Control Protocol/Internet Protocol (TCP/IP) service protocol that offers dynamic leased configuration of host IP addresses and distributes other configuration parameters to eligible network clients. DHCP provides safe, reliable, and simple TCP/IP network configuration, prevents address conflicts, and helps conserve the use of client Internet Protocol (IP) addresses on the network. DHCP uses a client/server model where the DHCP server maintains centralized management of IP addresses that are used on the network. DHCP-supporting clients can then request and obtain lease of an IP address from a DHCP server as part of their network boot process.

dynamic-link library   An operating system feature that allows executable routines (generally serving a specific function or set of functions) to be stored separately as files with .dll extensions. These routines are loaded only when needed by the program that calls them.

dynamic volume   A logical volume that is created using Disk Management. Dynamic volume types include simple, spanned, striped, mirrored, and RAID-5. You must create dynamic volumes on dynamic disks.


effective permissions   The sum of the NTFS permissions assigned to the user account and to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permission for the folder.

EFS   See encrypting file system (EFS).

encrypting file system (EFS)   Microsoft Windows 2000 file system that enables users to encrypt files and folders on an NTFS volume to keep them safe from intruders who have physical access to the disk.

encryption   The process of making information indecipherable to protect it from unauthorized viewing or use, especially during transmission or when the data is stored on a transportable magnetic medium. A key is required to decode the information.

environment subsystems   One of the components of the Microsoft Windows 2000 User mode; emulate different operating systems by presenting the application programming interfaces (APIs) that the applications expect to be available. The environment subsystems accept the API calls made by the application, convert the API calls into a format understood by Windows 2000, and then pass the converted API to the Executive Services for processing.

Event Log service   A service that records events in the system, security, and application logs. The Event Log service is located in Event Viewer.

event logging   The Microsoft Windows 2000 process of recording an audit entry in the audit trail whenever certain events occur, such as services starting and stopping or users logging on and off and accessing resources. You can use Event Viewer to review AppleTalk network integration (formerly Services for Macintosh) events as well as Windows 2000 events.

Event Viewer   Maintains logs about application, security, and system events on your computer.

Everyone group   In Microsoft Windows NT, includes all local and remote users who have connected to the computer, including those who connect as guests. You cannot control who becomes a member of the Everyone group; however, you can assign permissions and rights.

explicit one-way nontransitive trust   A type of trust relationship in which only one of the two domains trusts the other domain. For example, Domain A trusts Domain B and Domain B does not trust Domain A. All one-way trusts are nontransitive.

extended partition   A portion of a basic disk that can contain logical drives. Use an extended partition if you want to have more than four volumes on your basic disk. Only one of the four partitions allowed per physical disk can be an extended partition, and no primary partition needs to be present to create an extended partition. Extended partitions can be created only on basic disks.

Extensible Authentication Protocol (EAP)   An extension to the Point-to-Point Protocol (PPP) that works with Dial-Up, Point-to-Point Tunneling Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) clients. EAP allows for an arbitrary authentication mechanism to validate a dial-in connection. The exact authentication method to be used is negotiated by the dial-in client and the remote access server.

Extensible Storage Engine (ESE)   The Active Directory database engine. ESE (Esent.dll) is an improved version of the Jet database that is used in Microsoft Exchange Server versions 4.x and 5.5. It implements a transacted data-base system, which means that it uses log files to ensure that committed transactions are safe.

extension snap-ins   Usually referred to simply as extensions. They are snap-ins that provide additional administrative functionality to other snap-ins.


file replication service (FRS)   A service used by the Microsoft distributed file system (Dfs) to automatically synchronize content between assigned replicas, and by Active Directory Sites and Services to replicate topological and global catalog information across domain controllers.

file sharing   The ability of a computer running Microsoft Windows 2000 to share parts (or all) of its local file system(s) with remote computers.

folder redirection   An extension within group policy that allows you to redirect the following Microsoft Windows 2000 special folders to network locations: Application Data, Desktop, My Documents, My Pictures, and Start Menu.

forest   A collection of one or more Microsoft Windows 2000 domains that share a common schema, configuration, and global catalog, and are linked with two-way transitive trusts.

forward lookup   In Domain Name System (DNS), a query process in which the friendly DNS domain name of a host computer is searched to find its Internet Protocol (IP) address.

full zone transfer (AXFR)   The standard query type supported by all Domain Name System (DNS) servers to update and synchronize zone data when the zone has been changed. When a DNS query is made using AXFR as the specified query type, the entire zone is transferred as the response.

fully qualified domain name (FQDN)   A Domain Name System (DNS) domain name that has been stated unambiguously so as to indicate with absolute certainty its location in the domain namespace tree. Fully qualified domain names differ from relative names in that they are typically stated with a trailing period (.), for example,, to qualify their position to the root of the namespace.


global account   For Microsoft Windows 2000 Server, a normal user account in a user's domain. Most user accounts are global accounts. If there are multiple domains in the network, it is best if each user in the network has only one user account in only one domain, and each user's access to other domains is accomplished through the establishment of domain trust relationships.

global catalog   A domain controller that contains a partial replica of every domain in Active Directory. A global catalog holds a replica of every object in Active Directory, but with a limited number of each object's attributes. The global catalog stores those attributes most frequently used in search operations (such as a user's first name and last name) and those attributes required to locate a full replica of the object. The Active Directory replication system builds the global catalog automatically. The attributes replicated into the global catalog include a base set defined by Microsoft. Administrators can specify additional properties to meet the needs of their installation.

global catalog server   A Microsoft Windows 2000 domain controller that holds a copy of the global catalog for the forest.

global group   For Microsoft Windows 2000 Server, a group that can be granted rights and permissions and can become a member of local groups in its own domain, the member servers and workstations thereof, and trusting domains. A global group can contain user accounts only from its own domain. Global groups provide a way to create sets of users from inside the domain, and can be used for access to resources both in and out of the domain. Global groups cannot be created or maintained on computers running Microsoft Windows 2000 Professional. However, for Windows 2000 Professional computers that participate in a domain, domain global groups can be granted rights and permissions at those workstations and can become members of local groups at those workstations.

globally unique identifier (GUID)   A 128-bit number that is guaranteed to be unique. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current distinguished name.

group memberships   The groups to which a user account belongs. Permissions and rights granted to a group are also provided to its members. In most cases, the actions a user can perform in Microsoft Windows 2000 are determined by the group memberships of the user account that has been logged on to.

group policy   The Microsoft Windows 2000 Microsoft Management Console (MMC) snap-in used to specify the behavior of users' desktops. A group policy object (GPO), which an administrator creates using the Group Policy snap-in, is the mechanism for configuring desktop settings.

Group Policy object (GPO)   A collection of group policy settings. GPOs are essentially the documents created by the Group Policy snap-in. GPOs are stored at the domain level and they affect users and computers contained in sites, domains, and organizational units. In addition, each Microsoft Windows 2000 computer has exactly one group of settings stored locally, called the local GPO.

group scopes   Allow you to use groups in different ways to assign permissions. The scope of a group determines where in the network you are able to use the group to assign permissions to the group. The three group scopes are global, domain local, and universal.

guest account   A built-in account used to log on to a computer running Microsoft Windows 2000 when a user does not have an account on the computer or domain or in any of the domains trusted by the computer's domain.


Hardware Compatibility List (HCL)   A list of the devices supported by Microsoft Windows 2000. The latest version of the HCL can be downloaded from the Hardware Compatibility List Web page at

HCL   See Hardware Compatibility List (HCL).

home directory   Specified in Active Directory Users And Computers or Local Users And Groups, a folder that is accessible to the user and can contain files and programs for that user. A home directory can be assigned to an individual user or can be shared by many users. Some programs use the home directory as the default folder for the Open and Save As dialog boxes. Other programs use My Documents.

host name   The name of a device on a network. For a device on a Microsoft Windows NT or Windows 2000 network, this can be the same as the computer name, but it may not be. The host name must be in the Hosts file, or it must be known by a Domain Name System (DNS) server, for that host to be found by another computer attempting to communicate with it.


implicit two-way transitive trust   A type of trust relationship in which both of the domains in the relationship trust each other. In a two-way trust relationship, each domain has established a one-way trust with the other domain. For example, Domain A trusts Domain B and Domain B trusts Domain A. Two-way trusts can be transitive or non-transitive. All two-way trusts between Microsoft Windows 2000 domains in the same domain tree or forest are transitive.

incremental zone transfer (IXFR)   An alternate query type that can be used by some Domain Name System (DNS) servers to update and synchronize zone data when a zone is changed. When IXFR is supported between DNS servers, servers can keep track of and transfer only those incremental resource record changes between each version of the zone.

infrastructure master   The domain controller assigned to update group-to-user references whenever group memberships are changed, and to replicate these changes to any other domain controllers in the domain. At any time, there can be only one infrastructure master in a particular domain.

initial master   A shared folder whose existing files and folders are replicated to other shared folders when replication is initially configured. After replication is complete, there is no initial master, as any of the replicas can accept changes and propagate them to the other replicas. The initial master then becomes another replica.

IntelliMirror   A set of powerful features native to Microsoft Windows 2000 for desktop change and configuration management technology. IntelliMirror combines the advantages of centralized computing with the performance and flexibility of distributed computing.

Internet Information Services (IIS)   Software services that support Web site creation, configuration, and management, along with other Internet functions. Microsoft Internet Information Services include Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP).

Internet Protocol Security (IPSec)   A framework of open standards for ensuring secure private communications over IP networks by using cryptographic security services.

IPSec   See Internet Protocol Security (IPSec).


Kerberos v5 protocol   An Internet standard security protocol for handling authentication of user or system identity. With Kerberos v5 protocol, passwords that are sent across network lines are encrypted, not sent as plaintext. Kerberos v5 also includes other security features.

kernel mode   Provides direct access to memory and executes in an isolated memory area. Kernel mode consists of four components: Microsoft Windows 2000 Executive, Device Drivers, the Microkernel, and the Hardware Abstraction Layer (HAL).

key   In database management, an identifier for a record or group of records in a data file. Most often, the key is defined as the contents of a single field, called the key field in some database management programs and the index field in others. Keys are maintained in tables and are indexed to speed record retrieval. Keys also refer to code that deciphers encrypted data.


Layer 2 Tunneling Protocol (L2TP)   An industry-standard Internet tunneling protocol. Unlike Point-to-Point Tunneling Protocol (PPTP), L2TP does not require Internet Protocol (IP) connectivity between the client workstation and the server. L2TP requires only that the tunnel medium provide packet-oriented point-to-point connectivity. The protocol can be used over media such as Asynchronous Transfer Mode (ATM), Frame Relay, and X.25. L2TP provides the same functionality as PPTP. Based on Layer 2 Forwarding (L2F) and PPTP specifications, L2TP allows clients to set up tunnels across intervening networks.

Lightweight Directory Access Protocol (LDAP)   The primary access protocol for Active Directory. LDAP version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) Request for Comments (RFC) 2251.

local group   For computers running Microsoft Windows 2000 Professional and member servers, a group that can be granted permissions and rights from its own computer and (if the computer participates in a domain) user accounts and global groups both from its own domain and from trusted domains.

local group policy object   One group policy object (GPO) stored on each computer whether or not the computer is part of an Active Directory environment or a networked environment. Local GPO settings can be overridden by nonlocal GPOs and are the least influential if the computer is in an Active Directory environment. In a non-networked environment (or in a networked environment lacking a Microsoft Windows 2000 domain controller), the local GPO's settings are more important because they are not overridden by nonlocal GPOs.

local user   The user at the computer.

local user account   For Microsoft Windows 2000 Server, a user account provided in a domain for a user whose global account is not in a trusted domain. A local account is not required where trust relationships exist between domains.

local user profile   A user profile that is created automatically on the computer the first time a user logs on to a computer running Microsoft Windows 2000 Professional or Windows 2000 Server.


mandatory user profile   A user profile that is not updated when the user logs off. It is downloaded to the user's desktop each time the user logs on and is created by an administrator and assigned to one or more users to create consistent or job-specific user profiles. Only members of the Administrators group can change profiles.

master server   An authoritative Domain Name System (DNS) server for a zone. Master servers can vary and are one of two types (either primary or secondary masters), depending on how the server obtains its zone data.

Microsoft Management Console (MMC)   A framework for hosting administrative tools called consoles. A console may contain tools, folders or other containers, World Wide Web pages, and other administrative items. These items are displayed in the left pane of the console, called a console tree. A console has one or more windows that can provide views of the console tree. The main MMC window provides commands and tools for authoring consoles. The authoring features of MMC and the console tree itself may be hidden when a console is in User mode.

mixed mode   The default domain mode setting on Microsoft Windows 2000 domain controllers. Mixed mode allows Windows NT and Windows 2000 backup domain controllers to coexist in a domain. Mixed mode does not support the universal and nested group enhancements of Windows 2000. The domain mode setting can be changed to Windows 2000 native mode when all Windows NT domain controllers are removed from a domain.

mounted drive   A drive attached to an empty folder on an NTFS volume. Mounted drives function the same as any other drive, but are assigned a label or name instead of a drive letter. The mounted drive's name is resolved to a full file system path instead of just a drive letter. Members of the Administrators group can use Disk Management to create mounted drives or reassign drive letters.

multimaster replication   A replication model in which any domain controller accepts and replicates directory changes to any other domain controller. This differs from other replication models in which one computer stores the single modifiable copy of the directory and other computers store backup copies.


namespace   A set of unique names for resources or items used in a shared computing environment. For Microsoft Management Console (MMC), the namespace is represented by the console tree, which displays all of the snap-ins and resources that are accessible to a console. For Domain Name System (DNS), namespace is the vertical or hierarchical structure of the domain name tree.

native mode   The condition in which all domain controllers in the domain have been upgraded to Microsoft Windows 2000 and an administrator has enabled native mode operation (through Active Directory Users And Computers).

nonauthoritative restore   A restore of a backup copy of a Microsoft Windows 2000 domain controller in which the objects in the restored directory are not treated as authoritative. The restored objects are updated with changes held in other replicas of the restored domain.

noncontainer object   An object that cannot logically contain other objects. For example, a file is a noncontainer object.

nonlocal group policy object   A group policy object (GPO) linked to Active Directory objects (sites, domains, or organizational units) that can be applied to either users or computers. To use nonlocal GPOs, you must have a Microsoft Windows 2000 domain controller installed. Following the properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (organizational unit) and are cumulative.

nontransitive trust   See explicit one-way nontransitive trust.


Open Shortest Path First (OSPF)   A routing protocol for IP networks, such as the Internet, that allows a router to calculate the shortest path to each node for sending messages.

operations master roles   A domain controller that has been assigned one or more special roles in an Active Directory domain. The domain controllers assigned these roles perform operations that are single master (not permitted to occur at different places on the network at the same time). Examples of these operations include resource identifier allocation, schema modification, primary domain controller (PDC) election, and certain infrastructure changes. The domain controller that controls the particular operation owns the operations master role for that operation. The ownership of these operations master roles can be transferred to other domain controllers.

organizational unit (OU)   An Active Directory container object used within domains. OUs are logical containers into which you can place users, groups, computers, and other OUs. It can contain objects only from its parent domain. An OU is the smallest scope to which you can apply a group policy or delegate authority.

owner   In Microsoft Windows 2000, the person who controls how permissions are set on objects and can grant permissions to others.


parent domain   For Domain Name System (DNS), a domain that is located in the namespace tree directly above other derivative domain names (child domains). For example, would be the parent domain for, a child domain.

paging file   A special file on one or more of the hard disks of a computer running Microsoft Windows 2000. Windows 2000 uses virtual memory to store some of the program code and other information in RAM and to temporarily store some of the program code and other information on the computer's hard disks. This increases the amount of available memory on the computer.

partition boot sector   A portion of a hard disk partition that contains information about the disk's file system and a short machine language program that loads the Windows operating system.

permissions inheritance   A mechanism that allows a given access control entry (ACE) to be copied from the container where it was applied to all children of the container. Inheritance can be combined with delegation to grant administrative rights to a whole subtree of the directory in a single update operation.

point-to-point configuration   Dedicated circuits that are also known as private, or leased, lines. They are the most popular wide area network (WAN) communication circuits in use today. The carrier guarantees full-duplex bandwidth by setting up a permanent link from each endpoint, using bridges and routers to connect LANs through the circuits. See also Point-to-Point Protocol (PPP), Point-to-Point Tunneling Protocol (PPTP).

Point-to-Point Protocol (PPP)   A data-link protocol for transmitting TCP/IP packets over dial-up telephone connections, such as between a computer and the Internet. PPP was developed by the Internet Engineering Task Force (IETF) in 1991.

Point-to-Point Tunneling Protocol (PPTP)   Networking technology that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet or other networks by dialing into an Internet Service Provider (ISP) or by connecting directly to the Internet. The PPTP tunnels, or encapsulates, Internet Protocol (IP), Internetwork Packet Exchange (IPX), or NetBEUI traffic inside of IP packets. This means that users can remotely run applications that are dependent on particular network protocols.

policy   The mechanism by which desktop settings are configured automatically, as defined by the administrator. Depending on context, this can refer to Microsoft Windows 2000 Group Policy, Windows NT 4.0 system policy, or a specific setting in a Group Policy object (GPO).

Portable Operating System Interface for UNIX (POSIX)   An Institute of Electrical and Electronics Engineers (IEEE) standard that defines a set of operating system services. Programs that adhere to the POSIX standard can be easily ported from one system to another. POSIX was based on UNIX system services, but was created in a way that allows it to be implemented by other operating systems.

POSIX   See Portable Operating System Interface for UNIX (POSIX).

PPP   See Point-to-Point Protocol (PPP).

PPTP   See Point-to-Point Tunneling Protocol (PPTP).

primary domain controller (PDC)   In a Microsoft Windows NT Server 4.0 or earlier domain, the computer running Windows NT Server that authenticates domain logons and maintains the directory database for a domain. The PDC tracks changes made to accounts of all computers on a domain. It is the only computer to receive these changes directly. A domain has only one PDC. In Microsoft Windows 2000, one of the domain controllers in each domain is identified as the PDC for compatibility with Windows NT 4.0 and earlier versions of Windows NT.

primary master   An authoritative Domain Name System (DNS) server for a zone that can be used as a point of update for the zone. Only primary masters can be updated directly to process zone updates, which include adding, removing, or modifying resource records that are stored as zone data. Primary masters are also used as the first sources for replicating the zone to other DNS servers.

primary partition   A volume you create using unallocated space on a basic disk. Microsoft Windows 2000 and other operating systems can start from a primary partition. You can create up to four primary partitions on a basic disk, or three primary partitions and an extended partition. Primary partitions can be created only on basic disks and cannot be subpartitioned.

primary zone database file   The master zone database file. Changes to a zone, such as adding domains or hosts, are performed on the server that contains the primary zone database file.

print device   The hardware device that produces printed documents.

printer   The software interface between the operating system and the print device. The printer defines where a document will go to reach the print device, when it will go, and how various other aspects of the printing process will be handled.


Quality of Service (QoS)   A set of quality assurance standards and mechanisms for data transmission that is implemented in Microsoft Windows 2000.


redundant array of independent disks (RAID)   A standardization of fault-tolerant options in five levels. The levels offer various combinations of performance, reliability, and cost. Formerly known as redundant array of inexpensive disks.

Remote Access Server   Any Microsoft Windows 2000-based computer configured to accept remote access connections.

Remote Authentication Dial-In User Service (RADIUS)   A security authentication protocol widely used by Internet Service Providers (ISPs). RADIUS provides authentication and accounting services for distributed dial-up networking.

Remote Installation Services (RIS)   Software services that allow an administrator to set up new client computers remotely, without having to visit each client. The target clients must support remote booting.

roaming user profile   A server-based user profile that is downloaded to the local computer when a user logs on, and is updated both locally and on the server when the user logs off. A roaming user profile is available from the server when logging on to any computer running Microsoft Windows 2000 Professional or Windows 2000 Server. When logging on, the user can use the local user profile if it is more current than the copy on the server.


schema   A database description to the database management system that contains a formal definition of the contents and structure of Active Directory, including all attributes, classes, and class properties. For each object class, the schema defines which attributes an instance of the class must have, which additional attributes it can have, and which object class can be a parent of the current object class.

schema master   The domain controller assigned to control all updates to the schema within a forest. At any time, there can be only one schema master in the forest.

security group   Used to assign permissions to gain access to resources. Programs that are designed to search Active Directory directory services can also use security groups for nonsecurity-related purposes, such as retrieving user information for use in a Web application. A security group also has all the capabilities of a distribution group. Microsoft Windows 2000 uses only security groups.

security identifier (SID)   A unique number that identifies user, group, and computer accounts. Every account on your network is issued a unique SID when the account is first created. Internal processes in Microsoft Windows 2000 refer to an account's SID rather than the account's user or group name. If you create an account, delete it, and then create an account with the same user name, the new account will not have the rights or permissions previously granted to the old account because the accounts have different SID numbers.

security template   A physical representation of a security configuration; a single file where a group of security settings is stored. Locating all security settings in one place eases security administration. Each template is saved as a text-based .inf file. This allows you to copy, paste, import, or export some or all of the template attributes.

shared resource   Any device, data, or program that is used by more than one other device or program. For Microsoft Windows 2000, shared resources refer to any resource that is made available to network users, such as folders, files, printers, and named pipes. A shared resource can also refer to a resource on a server that is available to network users.

snap-in   A type of tool you can add to a console supported by Microsoft Management Console (MMC). A standalone snap-in can be added by itself; an extension snap-in can only be added to extend the function of another snap-in.

software distribution point   In Software Installation, a network location from which users are able to get the software that they need.

Software Installation   An extension within Group Policy that is the administrator's primary tool for managing software within an organization. Software Installation works in conjunction with group policy and Active Directory directory service, establishing a Group Policy-based software management system that allows you to centrally manage the initial deployment of software, mandatory and nonmandatory upgrades, patches, quick fixes, and the removal of software.

Start-of-Authority (SOA) resource record   A record that indicates the starting point or original point of authority for information stored in a zone. The SOA resource record is the first resource record created when adding a new zone. It also contains several parameters used by other computers that use Domain Name System (DNS) to determine how long they will use information for the zone and how often updates are required.

system partition   The partition that contains the hardware-specific files needed to load Microsoft Windows 2000 (for example, Ntldr, Osloader, BOOT.INI, NTDETECT.COM). The system partition can be, but does not have to be, the same as the boot partition.

systemroot   The path and folder name where the Microsoft Windows 2000 system files are located. Typically, this is C:\Winnt, although you can designate a different drive or folder when you install Windows 2000. You can use the value %systemroot% to replace the actual location of the folder that contains the Windows 2000 system files. To identify your systemroot folder, click Start, click Run, and then type %systemroot%.

system volume   The volume that contains the hardware-specific files needed to load Microsoft Windows 2000. The system volume can be, but does not have to be, the same volume as the boot volume.

SYSVOL   A shared directory that stores the server copy of the domain's public files, which are replicated among all domain controllers in the domain.


Task Manager   A Microsoft Windows 2000 utility that provides information about programs and processes running on the computer. Using Task Manager, you can end or run programs, end processes, and display a dynamic overview of your computer's performance.

Task Scheduler   A tool used to schedule programs and batch files to run once, at regular intervals, or at specific times.

Terminal services   Software services that allow client applications to be run on a server so that client computers can function as terminals rather than as independent systems. The server provides a multisession environment and runs the Microsoft Windows-based programs being used on the clients.

total cost of ownership (TCO)   The total amount of money and time associated with purchasing computer hardware and software and deploying, configuring, and maintaining the hardware and software. TCO includes hardware and software updates, training, maintenance, administration, and technical support.

tree   A set of Microsoft Windows 2000 domains connected together via a two-way transitive trust, sharing a common schema, configuration, and global catalog. The domains must form a contiguous hierarchical namespace such that if is the root of the tree, is a child of, is a child of, and so on.

trust relationship   A logical relationship estab-lished between domains to allow pass-through authentication, in which a trusting domain honors the logon authentications of a trusted domain. User accounts and global groups defined in a trusted domain can be given rights and permissions in a trusting domain, even though the user accounts or groups do not exist in the trusting domain's directory.

tunnel   A logical connection over which data is encapsulated. Typically, both encapsulation and encryption are performed and the tunnel is a private, secure link between a remote user or host and a private network.


universal group   A security or distribution group that can be used anywhere in the domain tree or forest. A universal group can have members from any Microsoft Windows 2000 domain in the domain tree or forest. It can also include other universal groups, global groups, and accounts from any domain in the domain tree or forest. Rights and permissions must be assigned on a per-domain basis, but can be assigned at any domain in the domain tree or forest. Universal groups can be members of domain local groups and other universal groups but cannot be members of global groups. Universal groups appear in the global catalog and should contain primarily global groups.

universal naming convention (UNC) name   The full Microsoft Windows 2000 name of a resource on a network. It conforms to the \\servername\sharename syntax, where servername is the name of the server and sharename is the name of the shared resource. UNC names of directories or files can also include the directory path under the share name, with the following syntax: \\servername\sharename\directory\filename.

user account   A record that consists of all the information that defines a user to Microsoft Windows 2000. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. For Windows 2000 Professional and member servers, user accounts are managed with the Local Users and Groups console. For Windows 2000 Server domain controllers, user accounts are managed with the Active Directory Users And Computers console.

user groups   Groups of users who meet online or in person to discuss installation, administration, and other network challenges for the purpose of sharing and drawing on each other's expertise in developing ideas and solutions.

user mode   A console mode that does not enable full access to all Microsoft Management Console (MMC) functionality. There are three types of User modes that allow different levels of access and functionality: Full Access; Limited Access, Multiple Windows; and Limited Access, Single Window.

user name   A unique name identifying a user account to Microsoft Windows 2000. An account's user name must be unique among the other group names and user names within its own domain or workgroup.

user principal name (UPN)   This consists of a user account name (sometimes referred to as the user logon name) and a domain name identifying the domain in which the user account is located. This is the standard usage for logging on to a Microsoft Windows 2000 domain. The format is: (as for an e-mail address).

user profile   A profile that defines the Microsoft Windows 2000 environment that is loaded by the system when a user logs on. It includes all the user-specific settings of a user's Windows 2000 environment, such as program items, screen colors, network connections, printer connections, mouse settings, and window size and position.

user rights   Tasks a user is permitted to perform on a computer system or domain, such as backing up files and folders, adding or deleting users in a workstation or domain, and shutting down a computer system. Rights can be granted to groups or to user accounts, but are best reserved for use by groups. User rights are set in group policy.

user rights policy   Security settings that manage the assignment of rights to groups and user accounts.


virtual private network (VPN)   The extension of a private network that encompasses encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections can provide remote access and routed connections to private networks over the Internet.

volume   A portion of a physical disk that functions as though it were a physically separate disk. In My Computer and Microsoft Windows Explorer, volumes appear as local disks such as C: or D:.

volume set   A partition consisting of disk space on one or more physical disks that was created with Microsoft Windows NT 4.0 or earlier. You can delete volume sets only with Windows 2000. To create new volumes that span multiple disks, use spanned volumes on dynamic disks.


Windows 2000 Advanced Server   A powerful departmental and application server that provides rich network operations system (NOS) and Internet services. Advanced Server supports large physical memories, clustering, and load balancing.

Windows 2000 Datacenter Server   The most powerful and functional server operating system in the Microsoft Windows 2000 family. It is optimized for large data warehouses, econometric analysis, large-scale simulations in science and engineering, and server consolidation projects.

Windows 2000 Executive   A component that performs most of the input/output (I/O) and object management, including security. It does not perform screen and keyboard I/O; the Microsoft Win32 subsystem performs these functions. The Microsoft Windows 2000 Executive contains the Windows 2000 kernel mode components.

Windows 2000 Professional   A high-performance, secure network client computer and corporate desktop operating system that includes the best features of Microsoft Windows 98, significantly extending the manageability, reliability, security, and performance of Windows NT Workstation 4.0. Microsoft Windows 2000 Professional can be used alone as a desktop operating system, networked in a peer-to-peer workgroup environment, or used as a workstation in a Windows 2000 Server domain environment.

Windows 2000 Server   A file, print, and applications server, as well as a Web server platform that contains all of the features of Microsoft Windows 2000 Professional plus many new server-specific functions. This product is ideal for small- to medium-sized enterprise application deployments, Web servers, workgroups, and branch offices.

Windows Installer   An applications that installs software packaged in Microsoft Windows Installer files.

workgroup   A simple grouping of computers, intended only to help users find such things as printers and shared folders within that group. Workgroups in Windows 2000 do not offer the centralized user accounts and authentication offered by domains.


zone   In a Domain Name System (DNS) database, a subtree of the DNS database that is administered as a single separate entity, a DNS server. This administrative unit can consist of a single domain or a domain with subdomains. A DNS zone administrator sets up one or more name servers for the zone.

zone database file   The file where name-to-IP-address mappings for a zone are stored.

zone transfer   The process by which Domain Name System (DNS) servers interact to maintain and synchronize authoritative name data. When a DNS server is configured as a secondary master for a zone, it periodically queries another DNS server configured as its source for the zone. If the version of the zone kept by the source is different, the secondary master server pulls zone data from its source DNS server to synchronize zone data.

MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
Year: 2004
Pages: 244 © 2008-2017.
If you may any questions please contact us: