abstract class A type of schema class object used as a template only to form new structural classes. An abstract class cannot have instances in the directory. A new abstract class can be derived from an existing abstract class.

access control entry (ACE) An entry in an access control list (ACL) containing a security ID (SID) and a set of access rights. A process with a matching security ID is allowed access rights, denied rights, or allowed rights with auditing, depending on the specified access rights.

access control list (ACL) The mechanism for limiting access to certain items of information or to certain controls based on users' identity and their membership in various predefined groups. An access control list is typically used by system administrators for controlling user access to network resources such as servers, directories, and files and is typically implemented by granting permissions to users and groups for access to specific objects.

ACE See access control entry.

ACL See access control list.

Active Directory The directory service included with Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to resources anywhere on the network using a single logon process, provided the users are permitted to use these resources. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects. See also directory; directory service.

Active Directory Connector (ADC) A synchronization agent in Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Enterprise Server that provides an automated way of keeping directory information between the two directories consistent. Without the ADC, you would have to manually enter new data and updates in both directory services.

Active Directory Installation Wizard A Windows 2000 Server tool that facilitates the following during Setup: installation of Active Directory, creation of trees in a forest, replication of an existing domain, installation of Kerberos authentication software, and promotion of servers to domain controllers.

Active Directory Migration Tool (ADMT) A tool that enables the migration of existing Windows NT 4 and earlier domains into Windows 2000. It can also be used to consoli-date multiple Windows 2000 domains (within the same or within different forests) into a single domain. ADMT allows you to test the migration settings and analyze the migration impact before and after the migration process.

Active Directory Sizer A tool for estimating the hardware required for deploying Active Directory based on an organization's profile, domain information, and site topology.

ADC See Active Directory Connector.

administrative structure A representation of the functions, divisions, departments, or positions within an organization and their relationships, including the organization's hierarchy and authority structure. The administrative structure reflects how an organization is managed and how it conducts administrative operations.

administrator A person responsible for setting up and managing domain controllers or local computers and their user and group accounts, assigning passwords and permissions, and helping users with networking issues.

ADMT See Active Directory Migration Tool.

attribute Information that indicates whether a file is read-only, hidden, ready for archiving (backing up), compressed, or encrypted, and whether the file contents should be indexed for fast file searching.

authentication The process by which the system validates the user's logon information. A user's name and password are compared against the list of authorized users. If the system detects a match, access is granted to the extent specified in the permissions list for that user. When a user logs on to an account on a computer running Windows 2000 Professional, the authentication is performed by the workstation. When a user logs on to an account on a Windows 2000 Server domain, authentication may be performed by any server in that domain. See also server; trust relationship.

auxiliary class A type of schema class used to group attributes to be applied as a group to a structural class. An auxiliary class cannot have instances in the directory. A new auxiliary class can be derived from an existing auxiliary class.

average available bandwidth The average amount of bandwidth that is actually available for use after normal network traffic is handled.

AXFR See full zone transfer.


backup domain controller (BDC) In the environment running Microsoft Windows NT Server 4 or earlier, a computer running Windows NT Server that receives a copy of the domain's directory database (which contains all account and security policy information for the domain). The copy is synchronized periodically and automatically with the master copy on the primary domain controller (PDC). BDCs also authenticate user logon information and can be promoted to function as PDCs as needed. Multiple BDCs can exist in a domain. Windows NT 3.51 and 4 BDCs can participate in a Windows 2000 domain when the domain is configured in mixed mode. See also mixed mode; primary domain controller.

bandwidth The amount of data that can be transmitted across a communications channel in a specific amount of time. In computer networks, greater bandwidth indicates faster data-transfer capability and is expressed in bits per second (bps).

base schema A basic set of schema classes and attributes shipped with Windows 2000 Server. There are nearly 200 schema class objects and more than 900 schema attribute objects provided in the base schema.

BDC See backup domain controller.

Berkeley Internet Name Domain (BIND) An implementation of the Domain Name System (DNS) written and ported to most available versions of the UNIX operating system. The Internet Software Consortium maintains the BIND software.

BIND See Berkeley Internet Name Domain.

Bindery A database in Novell NetWare 2.x and 3.x that contains organizational and security information about users and groups.

bridgehead server A domain controller in a site, designated automatically by the Knowledge Consistency Checker as the contact point for exchange of directory information between this site and other sites. See also preferred bridgehead server.

business environment The manner in which an organization structures and manages its nontechnical resources.

business environment analysis document A document that describes the current state of each business environment component. When complete, this document can be distributed to each member of the design team, providing a starting point for discussion and assessing future needs.

business process A series of steps that must be taken to achieve a desired result within the oranization.

business strategy A long-range plan for defining and achieving the objectives set up by an organization.

Business Strategy Influences Worksheet A worksheet that can be used to analyze the factors that may influence the business strategy in an organization.

business structure A representation of the daily operating structure of an organization.

Business Structures Worksheet A worksheet that can be used to analyze an organization's administrative and geographical structures.


catalog service An information store that contains selected information about every object in every domain in the directory, and which is used for performing searches across an enterprise. The catalog service provided by Active Directory is called the global catalog.

child domain For DNS, a domain located in the namespace tree directly beneath another domain (the parent domain). For example, "" is a child domain of the parent domain,"" A child domain is also called a subdomain.

child object An object that resides in another object. For example, a file is a child object that resides in a folder, which is the parent object. See also parent object; object.

command decisions Decisions made by one person.

communication flow The process by which ideas, messages, or information arrive at their destination.

Communication Flow Worksheet A worksheet that can be used to analyze how ideas, messages, or information arrive at their destination in an organization.

configuration container A naming context containing the replication topology and related metadata that is replicated to every domain controller in the forest. Directory- aware applications store information in the configuration container that applies to the entire forest.

connection agreement A configurable section in the Active Directory Connector user interface that holds information such as the server names to contact for synchronization, object classes to synchronize, target containers, and the synchronization schedule.

connection object An Active Directory object that represents a replication connection from one domain controller to another. The connection object is a child of the replication destination's NTDS Settings object and identifies the replication source server, contains a replication schedule, and specifies a replication transport. Connection objects are created automatically by the Knowledge Consistency Checker, but they can also be created manually. Connections generated automatically must not be modified by the user unless they are first converted into manual connections.

consensus decisions Decisions reached by agreement from the entire group affected by the decision. Because the matter is not decided until the entire group agrees, this method is time consuming and does not guarantee that an effective decision will be made.

consultative decisions Decisions made by one person, but only after that person gathers facts, ideas, and opinions from other people. This process involves a variety of people but still hinges on the analysis and judgment of one person.

container object An object that can logically contain other objects. For example, a folder is a container object. See also noncontainer object; object.

contiguous namespace A namespace where the name of the child object in an object hierarchy always contains the name of the parent domain. A tree is a contiguous namespace.

cross-link trust A two-way trust relationship that is explicitly created between two Windows 2000 domains that are logically distant from each other in a forest or tree hierarchy. The purpose of a cross-link trust is to optimize the inter-domain authentication process. A cross-link trust can be created only between Windows 2000 domains in the same forest. All cross-link trusts are transitive. A cross-link trust is also known as a shortcut trust. See implicit two-way transitive trust.


DACL See discretionary access control list.

data store (the database file Ntds.dit) The directory database.

Decision Making Worksheet A worksheet that can be used to analyze how options are identified and actions are selected in an organization.

decision matrix A comparison of the criteria used to make a decision with the available options.

delegated decision Decision that has been pushed down an organization's chain of command. The delegatee must make the decision.

delegation of administration The ability to assign responsibility for management and administration of a portion of the name-space to another user, group, or organization.

design team The people in an organization involved in the Active Directory infrastructure design process.

desktop The on-screen work area on which windows, icons, menus, and dialog boxes appear.

directory An information source (for example, a telephone directory) that contains information about people, computer files, or other objects. In a file system, a directory stores information about files. In a distributed computing environment (such as a Windows 2000 domain), the directory stores information about objects such as printers, fax servers, applications, databases, and other users.

directory database The physical storage for each replica of Active Directory. The directory database is also called the store.

directory-enabled application Software that has the capability to read Active Directory objects (and their attributes) or has the capability to create schema class or attribute objects.

directory service Both the directory information source and the services that make the information available and usable. A directory service enables the user to find an object given any one of its attributes. See also Active Directory; directory.

directory synchronization The sharing of data between two directory services so that changes made to objects in one directory are propagated automatically to the other directory. When data is synchronized between directory services, system administration is more efficient because there is no longer a need to manage multiple directories.

discretionary access control list (DACL) The part of an object's security descriptor that grants or denies specific users and groups permission to access the object. Only the owner of an object can change permissions granted or denied in a DACL; thus access to the object is at the owner's discretion. See also access control entry; object.

disjointed namespace A namespace in which the names of a parent object and a child of this parent object are based on different DNS root domain names. A forest is a disjointed namespace.

distinguished name (DN) A name that uniquely identifies an object by using the relative distinguished name for the object, plus the names of container objects and domains that contain the object. The distinguished name identifies the object as well as its location in a tree. Every object in Active Directory has a distinguished name. A typical distinguished name might be CN=MyName, CN=Users,DC=Microsoft,DC=Com. This distinguished name identifies the "MyName" user object in the domain.

distribution group A group that is used solely for e-mail distribution and is not security enabled. Distribution groups cannot be listed in discretionary access control lists (DACLs) used to define permissions on resources and objects. Distribution groups can be used only with e-mail applications (such as Microsoft Exchange) to send e-mail to collections of users. If you do not need a group for security purposes, create a distribution group instead of a security group.

DN See distinguished name.

DNS See Domain Name System.

DNS Environment Worksheet A worksheet that can be used to analyze an organization's existing DNS environment.

DNS notify list A list maintained by the primary master for a zone of other Domain Name System (DNS) servers that should be notified when zone changes occur. The notify list is made up of Internet Protocol (IP) addresses for DNS servers configured as secondary masters for the zone. When the listed servers are notified of a change to the zone, they will initiate a zone transfer with another DNS server and update the zone.

DNS server A computer that runs DNS server programs containing name-to-IP address mappings, IP address-to-name mappings, information about the domain tree structure, and other information. DNS servers also attempt to resolve client queries. A DNS server is also called a DNS name server.

domain In Windows 2000 and Active Directory, a logical organization of computers and other resources defined by the administrator of a Windows 2000 Server network that share a common directory database. A domain has a unique name and provides access to the centralized user accounts and group accounts maintained by the domain administrator. Each domain has its own security policies and security relationships with other domains and represents a single security boundary of a Windows 2000 computer network. Active Directory is made up of one or more domains, each of which can span more than one physical location. For DNS, a domain is any tree or subtree within the DNS namespace. Although the names for DNS domains often correspond to Active Directory domains, DNS domains should not be confused with Windows 2000 and Active Directory networking domains.

domain consolidation See domain restructure.

domain controller In a Windows 2000 Server domain, a computer running Windows 2000 Server that manages user access to a network, which includes logging on, authentication, and access to the directory and shared resources.

domain hierarchy A tree structure of parent and child domains.

domain local group A security or distribution group that can contain universal groups, global groups, and accounts from any domain in the domain tree or forest. A domain local group can also contain other domain local groups from its own domain. Rights and permissions can be assigned only at the domain containing the group.

domain name In Windows 2000 and Active Directory, the name given by an administrator to a logical organization of computers and other resources that share a common directory. For DNS, domain names are specific node names in the DNS namespace tree. DNS domain names use singular node names, joined together by periods (.) that indicate each node level in the namespace. See also Domain Name System (DNS); namespace.

domain namespace The database structure used by the Domain Name System (DNS). See also Domain Name System (DNS).

Domain Name System (DNS) A static, hierarchical name service for TCP/IP hosts. The network administrator configures the DNS with a list of host names and IP addresses, allowing users of workstations configured to query the DNS to specify remote systems by host names rather than IP addresses. DNS domains should not be confused with Windows 2000 networking domains. See also domain.

domain naming master The domain controller assigned to control the addition or removal of domains in the forest. At any time, there can be only one domain naming master in the forest.

domain plan A group of planning documents that represent the Active Directory domain structure, which includes defining domains, defining the forest root domain, defining a domain hierarchy, naming domains, and planning DNS server deployment.

domain restructure A migration method that involves the redesign of the Windows NT domain structure, which often results in fewer, consolidated domains. This method of migration allows organizations to redesign and improve the structure to take full advantage of Windows 2000 features. A domain restructure migrates the existing Windows NT environment into a pristine Windows 2000 forest using a nondestructive copy. A domain restructure is also known as a domain consolidation or simply a restructure.

domain upgrade The process of installing an existing Windows NT domain structure and its users and groups intact into the Windows 2000 DNS-based domain hierarchy. A domain upgrade is also known as an in-place upgrade or simply an upgrade.

dynamic update An updated specification to the Domain Name System (DNS) standard that permits hosts that store name information in the DNS to dynamically register and update their records in zones maintained by DNS servers that can accept and process dynamic update messages.


explicit one-way nontransitive trust A type of trust relationship in which only one of the two domains trusts the other domain. For example, domain A trusts domain B, and domain B does not trust domain A. All one-way trusts are nontransitive.


fault tolerance The ability of a computer or operating system to ensure data integrity when a hardware failure occurs.

file A collection of information that has been given a name and is stored on a disk. This information can be a document or a program.

firewall A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside of the network. The proxy server determines whether it is safe to let a file pass through to the network. A firewall is also called a security-edge gateway.

folder A grouping of files or other folders, graphically represented by a folder icon, in both Windows 2000 and Macintosh environments. A folder represents a PC's file system directory.

forest A collection of one or more Windows 2000 domains that share a common schema, configuration, and global catalog and are linked with two-way transitive trusts.

forest model A representation of the forest structure for an organization.

forest plan A group of planning documents that represent the Active Directory forest structure, which includes a forest model and a schema modification plan. To design a forest model, you assess an organi-zation's forest needs and determine the number of forests it requires. To design a schema modification plan, you create a schema modification policy, assess an organization's schema needs, and determine whether to modify the schema.

forest root domain The first domain created in an Active Directory forest. After the forest root domain has been created, you cannot create a new forest root domain, a parent for the existing forest root domain, or rename the forest root domain.

forward lookup In the Domain Name System (DNS), a query process in which the friendly DNS domain name of a host computer is searched to find its Internet Protocol (IP) address.

FQDN See fully qualified domain name.

fully qualified domain name (FQDN) A DNS domain name that has been stated unambiguously so as to indicate with absolute certainty its location in the domain namespace tree. Fully qualified domain names differ from relative names in that they are typically stated with a trailing period (.), for example, "", to qualify their position to the root of the namespace.

full zone transfer (AXFR) The standard query type supported by all Domain Name System (DNS) servers to update and synchronize zone data when the zone has been changed. When a DNS query is made using AXFR as the specified query type, the entire zone is transferred as the response.


geographical structure A representation of the physical locations of the functions, divisions, departments, or positions within an organization. It reflects how an organization is structured geographically—at a regional, national, or international level.

global catalog A domain controller that contains a partial replica of every domain in Active Directory. A global catalog holds a replica of every object in Active Directory, but with a limited number of each object's attributes. The global catalog stores those attributes most frequently used in search operations (such as a user's first and last names) and those attributes required to locate a full replica of the object. The Active Directory replication system builds the global catalog automatically. The attributes replicated into the global catalog include a base set defined by Microsoft. Administrators can specify additional properties to meet the needs of their installation.

global catalog server A Windows 2000 domain controller that holds a copy of the global catalog for the forest.

global group For Windows 2000 Server, a group that can be used in its own domain, in member servers and workstations of the domain, and in trusting domains. In all those places a global group can be granted rights and permissions and can become a member of local groups. However, a global group can contain user accounts only from its own domain. See also local group; group.

globally unique identifier (GUID) A 128-bit number that is guaranteed to be unique. GUIDs are assigned to objects when the objects are created. The GUID never changes, even if you move or rename the object. Applications can store the GUID of an object and use the GUID to retrieve that object regardless of its current DN.

GPO See group policy object.

group A collection of users, computers, contacts, and other groups. Groups can be used as a security mechanism or as e-mail distribution collections. Distribution groups are used only for e-mail. Security groups are used both to grant access to resources and as e-mail distribution lists. See also domain local group; global group; native mode; universal group.

group policy The Windows 2000 component that specifies the behavior of users' desktops, security settings, software installation, startup and shutdown scripts, folder redirections, and so on. A group policy object, which an administrator creates using the Group Policy snap-in, is the mechanism for configuring options that control these features.

group policy object (GPO) A collection of group policy settings. GPOs are essentially the documents created by the Group Policy snap-in. GPOs are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units. In addition, each Windows 2000 computer has exactly one group of settings stored locally, called the local GPO.

group scopes A categorization of groups that enables you to use groups in different ways to assign permissions. The scope of a group determines where in the network you are able to use the group to assign permissions to the group. The three group scopes are global, domain local, and universal.

GUID See globally unique identifier.


Hardware and Software Worksheet A worksheet that can be used to conduct an inventory of an organization's hardware and installed software and to compare the inventory with the list of hardware and software compatible with Windows 2000 Server.

hierarchical namespace A namespace, such as the DNS namespace and the Active Directory namespace, that is hierarchically structured and provides rules that allow the namespace to be partitioned.

host ID A number used to identify an interface on a physical network bounded by routers. The host ID should be unique to the network.

host name The name of a device on a network. For a device on a Windows NT or Windows 2000 network, this can be the same as the computer name, but it may not be. The host name must be in the Hosts file, or it must be known by a DNS server, for that host to be found by another computer attempting to communicate with it.

Host (H) resource record A resource record used in a forward lookup zone to list the host name-to-IP-address mappings.


implicit two-way transitive trust A type of trust relationship in which both of the domains in the relationship trust each other. In a two-way trust relationship, each domain has established a one-way trust with the other domain. For example, domain A trusts domain B, and domain B trusts domain A. Two-way trusts can be transitive or nontransitive. All two-way trusts between Windows 2000 domains in the same domain tree or forest are transitive.

incremental zone transfer (IXFR) An alternate query type that can be used by some Domain Name System (DNS) servers to update and synchronize zone data when a zone is changed. When IXFR is supported between DNS servers, servers can keep track of and transfer only the incremental resource record changes between each version of the zone.

information flow The process by which the data arrives at its destination.

Information Flow Worksheet A worksheet that can be used to analyze the process by which data arrives at its destination in an organization.

information technology (IT) The application of technology to the management and processing of information.

infrastructure design A plan that represents an organization's network infrastructure. This plan is used to determine how to configure Active Directory to store information about objects on an organization's network and make the information available to users and network administrators.

infrastructure designers The key personnel involved in designing an Active Directory infrastructure.

infrastructure master The domain controller assigned to update group-to-user references whenever group memberships are changed and to replicate these changes to any other domain controllers in the domain. At any time, there can be only one infrastructure master in a particular domain.

in-place upgrade See domain upgrade.

Internet Protocol (IP) The messenger protocol of TCP/IP that is responsible for addressing and sending IP packets over the network. IP provides a best-effort, connectionless delivery system that does not guarantee that packets arrive at their destination or in the sequence in which they were sent.

intersite replication Replication traffic that occurs between sites.

intrasite replication Replication traffic that occurs within a site.

IP See Internet Protocol.

IP address A 32-bit address used to identify a node on an IP internetwork. Each node on the IP internetwork must be assigned a unique IP address, which is made up of a network identifier and a host identifier. This address is typically represented in dotted-decimal notation, with the decimal value of each octet separated by a period, for example, In Windows 2000, you can configure the IP address statically or dynamically through DHCP.

IT See information technology.

IT management organization The entity in an organization that is responsible for the management of the computing environment, usually performed by the IT, IS (information services) or MIS (management information services) department.

IT Management Organization Worksheet A worksheet that can be used to analyze an organization's IT management organization and the processes it employs.

IXFR See incremental zone transfer.


KCC See Knowledge Consistency Checker.

Kerberos V5 An Internet standard security protocol for handling authentication of user or system identity. With Kerberos V5, passwords that are sent across network lines are encrypted, not sent as plain text. Kerberos V5 includes other security features as well.

Knowledge Consistency Checker (KCC) A built-in service that runs on all domain controllers and automatically establishes connections between individual machines in the same site. These are known as Windows 2000 Directory Service connection objects. An administrator may establish additional connection objects or remove connection objects. At any point where replication within a site becomes impossible or has a single point of failure, the KCC will step in and establish as many new connection objects as necessary to resume Active Directory replication.


LAN See local area network.

LDAP See Lightweight Directory Access Protocol.

Lightweight Directory Access Protocol (LDAP) The primary access protocol for Active Directory. LDAP version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251.

local area network (LAN) A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that allows one device to interact with any other on the network. See also wide area network.

local group For Windows NT Server, a group that can be granted permissions and rights only for the domain controllers of its own domain. However, it can contain user accounts and global groups both from its own domain and from trusted domains.

For Windows 2000 Professional and member servers running Windows 2000 Server, a group that is granted permissions and rights from its own computer to only those resources on its own computer on which the group resides. See also global group.

local group policy object A group policy object (GPO) stored on each computer whether the computer is part of an Active Directory environment or a networked environment. Local GPO settings can be overwritten by nonlocal GPOs and are the least influential if the computer is in an Active Directory environment. In a non-networked environment (or in a networked environment lacking a Windows 2000 domain controller), the local GPO's settings are more important because they are not overwritten by nonlocal GPOs.


management representatives panel Management-level personnel who are responsible for approving business decisions within an organization. The panel should contain a selected group of upper-level business unit managers. Management representatives must have the authority and ability to approve and support design decisions made by infrastructure designers at each stage of the design development process.

master domain In Windows NT, the domain that is trusted by all other domains on the network and acts as the central administrative unit for user and group accounts. See also resource domain.

master server An authoritative DNS server for a zone. Master servers can vary and will be one of two types (either primary or secondary masters), depending on how the server obtains its zone data.

member server A computer that runs Microsoft Windows 2000 Server but is not a domain controller of a Windows 2000 domain. A member server participates in a domain, but does not store a copy of the directory database. For a member server, permissions can be set on resources that allow users to connect to the server and use its resources. Resource permissions can be granted for domain global groups and users as well as for local groups and users. See also domain controller; global group; local group.

metadata Information about the properties of data, such as the type of data in a column (numeric, text, and so on) or the length of a column. Information about the structure of data. Information that specifies the design of objects such as cubes or dimensions.

Microsoft Directory Synchronization Services (MSDSS) A service included with Services for NetWare version 5 (SFNW5) to enable users of Novell directory services to implement synchronization with Windows 2000 Server.

Microsoft File Migration Utility A utility included with Services for NetWare version 5 (SFNW5) to enable users of Novell Bindery or NDS directory to migrate their file system to the Windows 2000 NTFS version 5 file system (NTFS5).

Microsoft Management Console (MMC) A framework for hosting administrative tools, called consoles. A console may contain tools, folders or other containers, World Wide Web pages, and other administrative items. These items are displayed in the left pane of the console, called a console tree. A console has one or more windows that can provide views of the console tree. The main MMC window provides commands and tools for authoring consoles. The authoring features of MMC and the console tree itself may be hidden when a console is in User mode.

Microsoft Metadirectory Services (MMS) Services that handle sophisticated directory management needs, including the need to synchronize more than two directory services, the need for business rule-based processing, or the need for join capabilities. MMS is available through a service engagement with trained providers.

migration The process of making existing applications and data work on a different computer or operating system

mixed mode The default domain mode setting on Windows 2000 domain controllers. Mixed mode allows Windows NT and Windows 2000 backup domain controllers to coexist in a domain. Mixed mode does not support the universal and nested group enhancements of Windows 2000. The domain mode setting can be changed to Windows 2000 native mode when all Windows NT domain controllers are upgraded to Windows 2000 Server or removed from a domain. See also native mode.

MMC See Microsoft Management Console.

MMS See Microsoft Metadirectory Services.

MSDSS See Microsoft Directory Synchronization Services.

multimaster replication A replication model in which any domain controller accepts and replicates directory changes to any other domain controller. This differs from other replication models in which one computer stores the single modifiable copy of the directory and other computers store backup copies. See also domain controller; replication.


name resolution The process of translating a name into some object or information that the name represents. A telephone book forms a namespace in which the telephone numbers can be resolved to names of telephone subscribers. The Windows NT file system forms a namespace in which the name of a file can be resolved to the file itself. The Active Directory forms a namespace in which the name of an object in the directory can be resolved to the object itself. See also Domain Name System (DNS).

Name Server (NS) resource record A resource record used in a zone to designate the Domain Name System (DNS) domain names for authoritative DNS servers for the zone.

namespace A set of unique names for resources or items used in a shared computing environment. For Microsoft Management Console (MMC), the namespace is represented by the console tree, which displays all of the snap-ins and resources that are accessible to a console. For Domain Name System (DNS), namespace is the vertical or hierarchical structure of the domain name tree.

naming context A contiguous subtree of Active Directory that is replicated as a unit to other domain controllers in the forest that contain a replica of the same subtree. In Active Directory, a single server always holds at least three naming contexts: schema (class and attribute definitions for the directory), configuration (replication topology and related metadata), and domain (the subtree that contains the per-domain objects for one domain). The schema and configuration naming contexts are replicated to every domain controller in a specified forest. A domain naming context is replicated only to domain controllers for that domain. A naming context is also called a directory partition.

native mode The condition in which all domain controllers in the domain have been upgraded to Windows 2000 and an administrator has enabled native-mode operation (through the Active Directory Users And Computers administrative tool). See also mixed mode.

nested groups A Windows 2000 capability available only in native mode that allows the creation of groups within groups. See also universal group, global group, domain local group, forest.

nested OUs The creation of organizational units (OUs) within OUs.

NetWare Novell's network operating system.

Network Architecture Worksheet A worksheet that can be used to portray the physical environment of an organization's network.

network ID A number used to identify the systems that are located on the same physical network bounded by routers. The network ID should be unique to the internetwork.

noncontainer object An object that cannot logically contain other objects. For example, a file is a noncontainer object. See also container object; object.

nonlocal group policy object GPOs linked to Active Directory objects (sites, domains, or OUs) that can be applied to either users or computers. To use nonlocal GPOs, a Windows 2000 domain controller must be installed. Following the properties of Active Directory, nonlocal GPOs are applied hierarchically from the least restrictive group (site) to the most restrictive group (OU) and are cumulative.

nontransitive trust See explicit one-way nontransitive trust.


object An entity such as a file, folder, shared folder, printer, or Active Directory object described by a distinct, named set of attributes. For example, the attributes of a File object include its name, location, and size; the attributes of an Active Directory User object might include the user's first name, last name, and e-mail address. See also attribute, container object, noncontainer object, parent object, child object.

object attributes The characteristics of objects in the directory.

object class A logical grouping of objects.

object identifier A label that uniquely identifies an object class or attribute. An object identifier is represented as a dotted decimal string (for example, Object identifiers form a hierarchy with the root object identifier issued by the national registration authority responsible for issuing object identifiers. In the United States, this is the American National Standards Institute (ANSI). Organizations or individuals obtain a root object identifier from an issuing authority and use it to allocate additional object identifiers as they develop new classes and attributes. For example, Microsoft has been issued the root object identifier of 1.2.840.113556. Microsoft uses one of the branches from this root object identifier to allocate object identifiers for Active Directory classes and another branch for Active Directory attributes.

operations master role A domain controller that has been assigned one or more special roles in an Active Directory domain. The domain controllers assigned these roles perform operations that are single master (not permitted to occur at different places on the network at the same time). Examples of these operations include resource identifier allocation, schema modification, primary domain controller (PDC) election, and certain infrastructure changes. The domain controller that controls the particular operation owns the operations master role for that operation. The ownership of these operations master roles can be transferred to other domain controllers.

organizational unit (OU) An Active Directory container object used within a domain. An organizational unit is a logical container into which you can place users, groups, computers, and other organizational units. It can contain objects only from its parent domain. An organizational unit is the smallest scope to which you can apply a group policy or delegate authority.

organizational unit plan A group of planning documents that represent the Active Directory organizational unit structure, which includes defining an OU structure and then planning user accounts and groups.

OU See organizational unit.


parent-child trust An implicit, two-way transitive trust that is created automatically when a domain is added to the hierarchy.

parent domain For DNS, a domain that is located in the namespace tree directly above another derivative domain name (child domain). For example, "" is the parent domain for "," a child domain.

parent object The object in which another object resides. A parent object implies relation. For example, a folder is a parent object in which a file, or child object, resides. An object can be both a parent and a child object. For example, a subfolder that contains files is both the child of the parent folder and the parent folder of the files. See also child object; object.

partition A portion of a physical disk that functions as though it were a physically separate disk. Partitions can be created only on basic disks.

path A sequence of directory (or folder) names that specifies the location of a directory, file, or folder within the directory tree. Each directory name and filename within the path (except for the first) must be preceded by a backslash (\).

PDC See primary domain controller.

PDC emulator master A domain controller running Windows 2000 Server assigned to act as a Microsoft Windows NT 4 primary domain controller (PDC) to service network clients that do not have Active Directory client software installed and to replicate directory changes to any Windows NT backup domain controllers (BDCs) in the domain. For a Windows 2000 domain operating in native mode, the PDC emulator master receives preferential replication of password changes performed by other domain controllers in the domain and handles any password authentication requests that fail at the local domain controller. At any time, there can be only one PDC emulator in a particular domain.

peer Any of the devices on a layered communications network that operate on the same protocol level.

permission A rule associated with an object to regulate which users can gain access to the object and in what manner. See also object.

permissions inheritance A mechanism that allows a given access control entry (ACE) to be copied from the container where it was applied to all children of the container. Inheritance can be combined with delegation to grant administrative rights to a whole subtree of the directory in a single update operation.

Pointer (PTR) resource record A resource record used in a reverse lookup zone created within the domain to designate a reverse mapping of a host Internet Protocol (IP) address to a host Domain Name System (DNS) domain name.

policy The mechanism by which desktop settings are configured automatically, as defined by the administrator. Depending on context, this can refer to Windows 2000 group policy, Windows NT 4 system policy, or a specific setting in a group policy object.

preferred bridgehead server A computer with the appropriate bandwidth to transmit and receive information that you specify as a bridgehead server. See also bridgehead server.

preferred bridgehead server table A table used to plan preferred bridgehead servers that includes the names of the domain controllers to be preferred bridgehead servers for each site.

primary DNS server The authoritative server for a primary zone. A primary zone database file must be administered and maintained on the primary DNS server for the zone.

primary domain controller (PDC) In a Microsoft Windows NT Server 4 or earlier domain, the computer running Windows NT Server that authenticates domain logons and maintains the directory database for a domain. The PDC tracks changes made to accounts of all computers in a domain. It is the only computer to receive these changes directly. A domain has only one PDC. In Windows 2000, one of the domain controllers in each domain is identified as the PDC for compatibility with Windows NT 4 and earlier versions of Windows NT. See also backup domain controller.

primary zone database file The master zone database file. Changes to a zone, such as adding domains or hosts, are performed on the server that contains the primary zone database file.

pristine forest An ideal Windows 2000 forest that is isolated from the Windows NT production environment and operates in native mode. See also domain restructure.

production environment An organization's everyday computing environment.

Products and Customers Worksheet A worksheet that can be used to analyze an organization's products and customers.


query A request for retrieval, modification, or deletion of specific data.


RDN See relative distinguished name.

relative distinguished name (RDN) The part of an object's distinguished name that is an attribute of the object itself. For most objects this is the Common Name attribute. For security principals, the default common name is the security principal name, also referred to as the SAM account name. For the distinguished name CN=MyName,CN=Users,DC=Microsoft,DC=Com, the relative distinguished name of the "MyName" user object is "CN= MyName". The relative distinguished name of the parent object is "CN=Users".

relative ID master The domain controller assigned to allocate sequences of relative IDs to each domain controller in its domain. Whenever a domain controller creates a security principal (user, group, or computer object), the domain controller assigns the object a unique security ID. The security ID consists of a domain security ID that is the same for all security IDs created in a particular domain and a relative ID that is unique for each security ID created in the domain. At any time, there can be only one relative ID master in a particular domain.

replica In Active Directory replication, a copy of a logical Active Directory partition that is synchronized through replication between domain controllers that hold copies of the same directory partition. "Replica" can also refer to the composite set of directory partitions held by any one domain controller. These are specifically called a directory partition replica and server replica, respectively.

replication The process of copying data from a data store or file system to multiple computers to synchronize the data. Active Directory provides multimaster replication of the directory between domain controllers within a given domain. The replicas of the directory on each domain controller are writable. This allows updates to be applied to any replica of a given domain. The replication service automatically copies the changes from a given replica to all other replicas.

replication availability A schedule assigned to the site link that indicates when the link is available for replication.

replication frequency A value assigned to the site link that indicates the number of minutes Active Directory should wait before using a connection to check for replication updates.

replication topology A description of the physical connections between replicas and sites.

replication transport Provides the wire protocols required for data transfer during replication. Two default transports are supported in Windows 2000: Remote Procedure Call (RPC) over TCP/IP (referred to as "IP" in administrative tools) and Simple Mail Transport Protocol (SMTP).

Request for Comments (RFC) An official document of the Internet Engineering Task Force (IETF) that specifies the details for protocols included in the TCP/IP family.

resource Any part of a computer system or a network, such as a disk drive, printer, or memory, that can be allotted to a program or a process while it is running or can be shared over a local area network.

resource domain In Windows NT, a trusting domain that establishes a one-way trust relationship with the master (account) domain, enabling users with accounts in the master domain to use resources in the resource domain. See also master domain.

resource record The standard database record used in a zone to associate Domain Name System (DNS) domain names to related data for a given type of network resource, such as a host Internet Protocol (IP) address. Most of the basic resource record types are defined in RFC 1035, but additional resource record types have been defined in other Requests for Comments (RFCs) and approved for use with DNS.

restructure See domain restructure.

reverse lookup In the Domain Name System (DNS), a query process by which the Internet Protocol (IP) address of a host computer is searched to find its friendly DNS domain name.

RFC See Request for Comments.

root domain The domain at the top of the hierarchy, represented as a period (.). The Internet root domain is managed by several organizations, including Network Solutions, Inc.


SAM See Security Accounts Manager.

schema A description of the object classes and attributes stored in Active Directory. For each object class, the schema defines what attributes an object class must have, what additional attributes it may have, and what object class can be its parent. Active Directory schema can be updated dynamically. For example, an application can extend the schema with new attributes and classes and use the extensions immediately. Schema updates are accomplished by creating or modifying the schema objects stored in Active Directory. Like every object in Active Directory, a schema object has an access control list so that only authorized users can alter the schema.

schema attribute object In Active Directory, a single property of an object. An object is described by the values of its attributes.

schema class object A distinct, named set of attributes that represents a concrete object, such as a user, a printer, or an application. The attributes hold data describing the item that is identified by the directory object. Attributes of a user might include the user's given name, surname, and e-mail address. The terms object class and class are used interchangeably. The attributes that can be used to describe an object are determined by the content rules. For each object class, the schema defines what attributes an instance of the class must have and what additional attributes it might have.

schema master The domain controller assigned to control all updates to the schema within a forest. At any time, there can be only one schema master in the forest.

schema modification plan A group of planning documents that include a schema modification policy and an assessment of an organization's schema needs.

schema modification policy A written plan created by an organization to administer schema modifications that affect the entire forest. The schema modification policy outlines who has control of the schema and how modifications are administered and should be created for each forest as part of the forest plan documents.

secondary DNS server A backup DNS server that receives the primary zone database files from the primary DNS server in a zone transfer.

secondary master An authoritative DNS server for a zone that is used as a source for replication of the zone to other servers. Secondary masters update their zone data only by transferring zone data from other DNS servers. They do not have the ability to perform zone updates.

secondary zone database file A read-only replica of an existing standard primary zone database file stored in a standard text file on a secondary DNS server.

second-level domain Domain name that is rooted hierarchically at the second tier of the domain namespace directly beneath the top-level domain name such as ".com" and ".org." When the DNS is used on the Internet, second-level domains are names, such as "," that are registered and delegated to individual organizations and businesses according to their top-level classification. The organization then assumes further responsibility for parenting management and growth of its name into additional subdomains.

Security Accounts Manager (SAM) A Microsoft Windows 2000 service used during the logon process. SAM maintains user account information, including the list of groups to which a user belongs.

security group A group that can be used to administer permissions for users and other domain objects.

security ID See security identifier.

security identifier (SID) A unique number that identifies a user, group, or computer account. Every account on your network is issued a unique SID when the account is first created. Internal processes in Windows 2000 refer to an account's SID rather than the account's user or group name. If you create an account, delete it, and then create an account with the same user name, the new account will not have the rights or permissions previously granted to the old account because the accounts have different SID numbers.

server A computer that provides shared resources to network users.

service A program, routine, or process that performs a specific system function to support other programs, particularly at a low (close to the hardware) level. When services are provided over a network, they can be published in Active Directory, facilitating service-centric administration and usage. Some examples of Windows 2000 services are Security Accounts Manager service, File Replication service, and Routing and Remote Access service.

Service (SRV) resource record A resource record used in a zone to register and locate well-known TCP/IP services. The SRV resource record is specified in RFC 2052 and is used in Microsoft Windows 2000 or later to locate domain controllers for Active Directory.

share To make resources, such as folders and printers, available to others.

shortcut trust See cross-link trust.

SID See security identifier.

Simple Mail Transfer Protocol (SMTP) A protocol used on the Internet to transfer mail reliably and efficiently. SMTP is independent of the particular transmission subsystem and requires only a reliable, ordered, data stream channel.

site One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology quickly and easily to take advantage of the physical network. When users log on, Active Directory clients locate Active Directory servers in the same site as the user. See also subnet; well-connected.

site link A link between two sites that allows replication to occur. Each site link contains the schedule that determines when replication can occur between the sites that it connects. See also site link cost; replication availability; replication frequency; replication transport.

site link bridge The linking of more than two sites for replication using the same transport. When site links are bridged, they are transitive; that is, all site links for a specific transport implicitly belong to a single site link bridge for that transport. A site link bridge is the equivalent of a disjoint network. All site links within the bridge can route transitively, but they do not route outside of the bridge.

site link bridge table A table used to plan site link transitivity disabling that includes the name of each site link bridge required and the name of the site links contained in the site link bridge.

site link cost A value assigned to the site link that indicates the cost of the connection in relation to the speed of the link. Higher costs are used for slow links, and lower costs are used for fast links.

site link table A table used to plan a site link configuration that includes the site link name, method of replication transport, site link cost, replication frequency, and replication availability for each site link.

site topology A logical representation of a physical network.

site topology plan A group of planning documents that represent the Active Directory site topology, which includes defining sites, placing domain controllers, defining a replication strategy, and placing global catalog servers and operations masters within a forest.

smart card A credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card. See also authentication.

SMTP See Simple Mail Transfer Protocol.

soft skills The ability to understand people and to communicate and collaborate with them in a diplomatic fashion.

staff representatives panel A panel containing an exemplary staff member from each business unit or department within an organization that provides feedback in the design process.

standalone server A computer that runs Microsoft Windows 2000 Server but does not participate in a domain. A standalone server has only its own database of users, and it processes logon requests by itself. It does not share account information with any other computer and cannot provide access to domain accounts.

Start of Authority (SOA) resource record A record that indicates the starting point or original point of authority for information stored in a zone. The SOA resource record is the first resource record created when adding a new zone. It also contains several parameters used by other computers that use the Domain Name System (DNS) to determine how long they will use information for the zone and how often updates are required.

structural class The only type of schema class object that can have instances in the directory. A structural class can be derived from either an abstract class or another structural class.

subdomain A DNS domain located directly beneath another domain (the parent domain) in the namespace tree. For example, "" is a subdomain of the domain "" A subdomain is also called a child domain.

subnet A portion of a network, which may be a physically independent network segment, that shares a network address with other portions of the network and is distinguished by a subnet number. A subnet is to a network what a network is to an internet.

subnet mask A 32-bit value expressed as four decimal numbers from 0 to 255, separated by periods (for example, This number allows TCP/IP to distinguish the network ID portion of the IP address from the host ID portion.


technical environment The manner in which an organization structures and manages its technical resources.

technical environment analysis document A document that describes the current state of each technical environment component. When complete, this document can be distributed to each member of the design team, providing a starting point for discussion and assessing future needs.

Technical Standards Worksheet A worksheet that can be used to analyze the conventions currently in place for the technical environment.

test environment An environment that is a simulation of an organ-ization's production environment and allows for the testing of parts of its Windows 2000 deployment, such as its Active Directory infrastructure design, without risk to the organization's network.

top-level domain A domain that is rooted hierarchically at the first tier of the domain namespace directly beneath the root (.) of the DNS namespace. On the Internet, top-level domain names such as ".com" and ".org" are used to classify and assign second-level domain names (such as "") to individual organizations and businesses according to their organizational purpose.

topology In Windows, the relationships among a set of network components. In the context of Active Directory replication, topology refers to the set of connections that domain controllers use to replicate information among themselves. See also domain controller; replication.

transitive trust See implicit two-way transitive trust.

tree A set of Windows NT domains connected via a two-way transitive trust, sharing a common schema, configuration, and global catalog. The domains must form a contiguous hierarchical namespace such that, for example, is the root of the tree, is a child of, is a child of, and so on.

tree root domain The highest-level domain in a tree.

trust path A series of trust links from one domain to another, established for the purpose of passing authentication requests.

trust relationship A logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logon authentications of a trusted domain. User accounts and global groups defined in a trusted domain can be given rights and permissions in a trusting domain, even though the user accounts or groups don't exist in the trusting domain's directory. See also implicit two-way transitive trust; explicit one-way intransitive trust; authentication; domain.


Unicode A standard encoding scheme used for representing text-based data. Unicode uses 2 bytes (16 bits) to represent each character, which allows 65,536 possible unique characters to be assigned. This number of possible character values enables almost all of the written languages of the world to be represented using a single character set.

universal group A Windows 2000 group that is available only in native mode and valid anywhere in the forest. A universal group appears in the global catalog but contains primarily global groups from domains in the forest. This is the simplest type of group and can contain other universal groups, global groups, and users from anywhere in the forest. See also domain local group; forest; global catalog.

upgrade See domain upgrade.

UPN See user principal name.

user account A record that consists of all the information that defines a user in the Windows 2000 network, including the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. For Windows 2000 Professional and member servers, user accounts are managed with the Local Users And Groups console. For Windows 2000 Server domain controllers, user accounts are managed with the Active Directory Users And Computers console.

user principal name (UPN) A name consisting of a user account name (sometimes referred to as the user logon name) and a domain name identifying the domain in which the user account is located. This is the standard usage for logging on to a Windows 2000 domain. The format is (as in an e-mail address).


WAN See wide area network.

well-connected Sufficient connectivity to make your network and Active Directory useful to clients on your network. The precise meaning of well-connected is determined by your particular needs. See also site.

wide area network (WAN) The extension of a data network that uses telecommunication links to connect to geographically separated areas. See also local area network.

Windows 2000 Advanced Server A powerful departmental and application server that provides rich network operations system (NOS) and Internet services. Advanced Server supports large physical memories, clustering, and load balancing.

Windows 2000 Professional A high-performance, secure network client computer and corporate desktop operating system that includes the best features of Microsoft Windows 98, while significantly extending the manageability, reliability, security, and performance of Windows NT Workstation 4. Windows 2000 Professional can be used alone as a desktop operating system, networked in a peer-to-peer workgroup environment, or used as a workstation in a Windows 2000 Server domain environment.

Windows 2000 Server A file, print, and applications server, as well as a Web server platform that contains all of the features of Windows 2000 Professional plus many server-specific functions. This product is ideal for small to medium-sized enterprise application deployments, Web servers, workgroups, and branch offices.

Windows Internet Naming Service (WINS) A software service that dynamically maps IP addresses to computer names (NetBIOS names). This allows users to access resources by name instead of requiring them to use IP addresses that are difficult to recognize and remember. WINS servers support clients running Windows NT 4 and earlier versions of Microsoft operating systems. See also Domain Name System (DNS).

Windows NT Domain Architecture Worksheet A worksheet that can be used to analyze the organization's existing Windows NT domain architecture.

WINS See Windows Internet Naming Service.

workgroup A simple grouping of computers, intended only to help users find such resources as printers and shared folders within that group. Workgroups in Windows 2000 do not offer the centralized user accounts and authentication offered by domains.


zone In a DNS database, a zone is a contiguous portion of the DNS tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all the names within the zone. See also domain; Domain Name System (DNS); DNS server.

zone database file The file where name-to-IP-address mappings for a zone are stored.

zone replication The synchronization of DNS data between DNS servers within a given zone.

zone transfer The process by which Domain Name System (DNS) servers interact to maintain and synchronize authoritative name data. When a DNS server is configured as a secondary master for a zone, it periodically queries another DNS server configured as its source for the zone. If the version of the zone kept by the source is different, the secondary master server will pull zone data from its source DNS server to synchronize zone data. See also full zone transfer; incremental zone transfer; zone.

MCSE Training Kit Exam 70-219(c) Designing a Microsoft Windows 2000 Directory Services Infrastructure
MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219 (Pro-Certification)
ISBN: 0735613648
EAN: 2147483647
Year: 2001
Pages: 76 © 2008-2017.
If you may any questions please contact us: